Semgrep 4 #86
Open
Semgrep 4 #86
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
We have finished reviewing your PR. We have found no vulnerabilities. Reply to this PR with |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| cursor = conn.cursor() | ||
| try: | ||
| sql_query = f"SELECT * FROM video_games WHERE title = '{query}'" | ||
| cursor.execute(sql_query) |
Check failure
Code scanning / CodeQL
SQL query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the problem, we should use parameterized queries instead of directly embedding user input into the SQL query string. Parameterized queries ensure that user input is treated as data rather than executable code, thus preventing SQL injection attacks.
In the provided code snippet, we need to modify the SQL query construction and execution to use parameterized queries. Specifically, we will replace the f-string formatted query with a parameterized query using placeholders and pass the user input as a parameter to the execute method.
Suggested changeset
1
insecure-api/main-2.py
| @@ -117,4 +117,4 @@ | ||
| try: | ||
| sql_query = f"SELECT * FROM video_games WHERE title = '{query}'" | ||
| cursor.execute(sql_query) | ||
| sql_query = "SELECT * FROM video_games WHERE title = ?" | ||
| cursor.execute(sql_query, (query,)) | ||
| rows = cursor.fetchall() |
Copilot is powered by AI and may make mistakes. Always verify output.
| rows = cursor.fetchall() | ||
| except Exception as e: | ||
| # Return the exception message for educational purposes (not recommended in production) | ||
| return {"error": str(e)} |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the problem, we should avoid returning the detailed exception message to the user. Instead, we should log the exception on the server and return a generic error message to the user. This approach ensures that sensitive information is not exposed while still allowing developers to debug issues using the server logs.
- Modify the code to log the exception message instead of returning it to the user.
- Return a generic error message to the user indicating that an internal error has occurred.
Suggested changeset
1
insecure-api/main-2.py
| @@ -121,4 +121,5 @@ | ||
| except Exception as e: | ||
| # Return the exception message for educational purposes (not recommended in production) | ||
| return {"error": str(e)} | ||
| # Log the exception message and return a generic error message to the user | ||
| print(f"Exception occurred: {e}") # Replace with proper logging in production | ||
| return {"error": "An internal error has occurred. Please try again later."} | ||
| finally: |
Copilot is powered by AI and may make mistakes. Always verify output.
| def fetch_url_content(url: str): | ||
| # Vulnerability: No validation of the URL (API10:2019 - Unsafe Consumption of APIs) | ||
| try: | ||
| response = requests.get(url) |
Check failure
Code scanning / CodeQL
Full server-side request forgery Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the SSRF vulnerability, we need to validate the user-provided URL to ensure it is safe to use. One way to do this is to restrict the URLs to a predefined list of allowed domains or to validate the URL structure and ensure it does not point to any internal or sensitive resources.
The best way to fix this problem without changing existing functionality is to:
- Parse the user-provided URL.
- Validate the URL to ensure it points to an allowed domain.
- Reject or sanitize any URLs that do not meet the validation criteria.
We will use the urllib.parse module to parse and validate the URL.
Suggested changeset
1
insecure-api/main-2.py
| @@ -203,3 +203,11 @@ | ||
| # Vulnerability: No validation of the URL (API10:2019 - Unsafe Consumption of APIs) | ||
| from urllib.parse import urlparse | ||
|
|
||
| allowed_domains = ["example.com", "another-allowed-domain.com"] | ||
|
|
||
| try: | ||
| parsed_url = urlparse(url) | ||
| if parsed_url.netloc not in allowed_domains: | ||
| raise ValueError("URL domain is not allowed") | ||
|
|
||
| response = requests.get(url) |
Copilot is powered by AI and may make mistakes. Always verify output.
| response = requests.get(url) | ||
| return {"content": response.text} | ||
| except Exception as e: | ||
| return {"error": str(e)} |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the problem, we need to modify the exception handling in the fetch_url_content function to ensure that detailed error information is not exposed to the user. Instead, we will log the detailed error message on the server and return a generic error message to the user.
- We will import the
loggingmodule to log the detailed error message. - We will modify the exception handling block to log the detailed error message and return a generic error message to the user.
Suggested changeset
1
insecure-api/main-2.py
| @@ -8,2 +8,5 @@ | ||
| from fastapi.responses import RedirectResponse | ||
| import logging | ||
|
|
||
| logging.basicConfig(level=logging.ERROR) | ||
|
|
||
| @@ -207,3 +210,4 @@ | ||
| except Exception as e: | ||
| return {"error": str(e)} | ||
| logging.error("Error fetching URL content: %s", str(e)) | ||
| return {"error": "An internal error has occurred. Please try again later."} | ||
|
|
Copilot is powered by AI and may make mistakes. Always verify output.
| @app.get("/redirect") | ||
| def unsafe_redirect(next: str): | ||
| # Vulnerability: Unvalidated redirect (API10:2019 - Unsafe Consumption of APIs) | ||
| return RedirectResponse(url=next) |
Check warning
Code scanning / CodeQL
URL redirection from remote source Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the problem, we need to validate the next parameter before using it in the redirection. One way to do this is to maintain a list of allowed redirect URLs and check if the user-provided URL is in that list. If it is not possible to maintain such a list, we can use the urlparse function from the Python standard library to ensure that the URL does not contain an explicit host name, making it a relative path and thus safe to redirect.
We will implement the fix by:
- Importing the
urlparsefunction from theurllib.parsemodule. - Replacing backslashes with forward slashes in the
nextparameter. - Checking that the
nextparameter does not contain an explicit host name and scheme using theurlparsefunction. - Redirecting to the home page if the
nextparameter is not safe.
Suggested changeset
1
insecure-api/main-2.py
| @@ -8,2 +8,3 @@ | ||
| from fastapi.responses import RedirectResponse | ||
| from urllib.parse import urlparse | ||
|
|
||
| @@ -213,2 +214,5 @@ | ||
| # Vulnerability: Unvalidated redirect (API10:2019 - Unsafe Consumption of APIs) | ||
| return RedirectResponse(url=next) | ||
| next = next.replace('\\', '/') | ||
| if not urlparse(next).netloc and not urlparse(next).scheme: | ||
| return RedirectResponse(url=next) | ||
| return RedirectResponse(url='/') |
Copilot is powered by AI and may make mistakes. Always verify output.
| sql = request.form['sql'] | ||
| try: | ||
| # Execute the user's SQL query | ||
| cursor.execute(sql) |
Check failure
Code scanning / CodeQL
SQL query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the SQL injection vulnerability, we should avoid directly using user input in SQL queries. Instead, we should use parameterized queries, which allow the database connector library to safely handle user input by escaping and quoting it appropriately.
In this specific case, we need to:
- Replace the direct execution of the user-provided SQL query with a parameterized query.
- Ensure that the user input is safely embedded into the query using placeholders.
Suggested changeset
1
insecure-app/app2.py
| @@ -47,4 +47,4 @@ | ||
| try: | ||
| # Execute the user's SQL query | ||
| cursor.execute(sql) | ||
| # Use a parameterized query to safely execute the user's SQL query | ||
| cursor.execute("SELECT * FROM users WHERE username = ?", (sql,)) | ||
| # Fetch all rows from the query result |
Copilot is powered by AI and may make mistakes. Always verify output.
| try: | ||
| # Use lxml to parse the XML data | ||
| parser = etree.XMLParser(load_dtd=True, resolve_entities=True) | ||
| tree = etree.fromstring(xml_data.encode(), parser) |
Check failure
Code scanning / CodeQL
XML external entity expansion Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the problem, we need to disable external entity expansion when parsing the XML data. This can be achieved by setting resolve_entities=False in the XMLParser. This change will prevent the parser from resolving external entities, thus mitigating the risk of XXE attacks.
Steps to fix:
- Modify the
XMLParserinitialization to setresolve_entities=False. - Ensure that the parser is used to parse the XML data.
Suggested changeset
1
insecure-app/app2.py
| @@ -69,3 +69,3 @@ | ||
| # Use lxml to parse the XML data | ||
| parser = etree.XMLParser(load_dtd=True, resolve_entities=True) | ||
| parser = etree.XMLParser(load_dtd=False, resolve_entities=False) | ||
| tree = etree.fromstring(xml_data.encode(), parser) |
Copilot is powered by AI and may make mistakes. Always verify output.
| elif 'url' in request.form: | ||
| url = request.form['url'] | ||
| try: | ||
| response = requests.get(url) |
Check failure
Code scanning / CodeQL
Full server-side request forgery Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the SSRF vulnerability, we need to ensure that the user input is validated and restricted to a set of allowed URLs or domains. This can be achieved by maintaining a list of authorized URLs on the server and selecting from that list based on the user input.
The best way to fix this problem without changing existing functionality is to:
- Define a list of allowed base URLs.
- Validate the user-provided URL against this list.
- Construct the final URL using the validated base URL and any additional path or query parameters.
Suggested changeset
1
insecure-app/app2.py
| @@ -78,7 +78,11 @@ | ||
| url = request.form['url'] | ||
| try: | ||
| response = requests.get(url) | ||
| output = f"SSRF Response: {response.text[:200]}" | ||
| except Exception as e: | ||
| output = f"SSRF Error: {e}" | ||
| allowed_urls = ["https://example.com", "https://api.example.com"] | ||
| if any(url.startswith(base) for base in allowed_urls): | ||
| try: | ||
| response = requests.get(url) | ||
| output = f"SSRF Response: {response.text[:200]}" | ||
| except Exception as e: | ||
| output = f"SSRF Error: {e}" | ||
| else: | ||
| output = "Invalid URL provided." | ||
|
|
Copilot is powered by AI and may make mistakes. Always verify output.
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) | ||
| cursor.execute(query) |
Check failure
Code scanning / CodeQL
SQL query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the SQL injection vulnerability, we should use parameterized queries instead of directly embedding user input into the SQL query string. Parameterized queries ensure that user input is properly escaped and treated as data rather than executable code.
In the provided code snippet, we need to modify the SQL query construction and execution to use parameterized queries. Specifically, we will replace the string formatting with a parameterized query using placeholders and pass the user input as parameters to the cursor.execute method.
Suggested changeset
1
insecure-app/app2.py
| @@ -89,4 +89,4 @@ | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) | ||
| cursor.execute(query) | ||
| query = "SELECT password FROM users WHERE username = ?" | ||
| cursor.execute(query, (username,)) | ||
| result = cursor.fetchone() |
Copilot is powered by AI and may make mistakes. Always verify output.
| """, output=output) | ||
|
|
||
| if __name__ == '__main__': | ||
| app.run(host='0.0.0.0', port=8080, debug=True) |
Check failure
Code scanning / CodeQL
Flask app is run in debug mode High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the problem, we need to ensure that the Flask application does not run in debug mode in a production environment. This can be achieved by setting the debug parameter to False or by using an environment variable to control the debug mode. This way, the application can be safely run in debug mode during development but will be secure in a production environment.
The best way to fix this issue without changing existing functionality is to modify the app.run call to use an environment variable to determine whether to enable debug mode. This involves importing the os module and using os.getenv to check for a FLASK_DEBUG environment variable.
Suggested changeset
1
insecure-app/app2.py
| @@ -167,2 +167,3 @@ | ||
| if __name__ == '__main__': | ||
| app.run(host='0.0.0.0', port=8080, debug=True) | ||
| debug_mode = os.getenv('FLASK_DEBUG', 'False').lower() in ['true', '1', 't'] | ||
| app.run(host='0.0.0.0', port=8080, debug=debug_mode) |
Copilot is powered by AI and may make mistakes. Always verify output.
| // MySQL Connection Setup | ||
| const connection = mysql.createConnection({ | ||
| host: 'localhost', | ||
| user: 'root', |
Check failure
Code scanning / CodeQL
Hard-coded credentials Critical
| const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber3};`; | ||
| responseMessages.push(`<p>Executing SQL query: ${query}</p>`); | ||
|
|
||
| connection.query(query, (err, rows) => { |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the problem, we should use parameterized queries to safely embed user input into the SQL query. This approach ensures that the user input is treated as a literal value and not as part of the SQL command, thus preventing SQL injection attacks.
We will modify the code to use parameterized queries provided by the mysql2 library. Specifically, we will replace the direct embedding of postData.orderNumber3 into the query string with a placeholder (?) and pass the user input as a parameter to the connection.query method.
Suggested changeset
1
insecure-js/server2.js
| @@ -75,6 +75,6 @@ | ||
| try { | ||
| const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber3};`; | ||
| responseMessages.push(`<p>Executing SQL query: ${query}</p>`); | ||
| const query = `SELECT product FROM Orders WHERE orderNumber = ?;`; | ||
| responseMessages.push(`<p>Executing SQL query with order number: ${postData.orderNumber3}</p>`); | ||
|
|
||
| connection.query(query, (err, rows) => { | ||
| connection.query(query, [postData.orderNumber3], (err, rows) => { | ||
| if (err) { |
Copilot is powered by AI and may make mistakes. Always verify output.
| } | ||
|
|
||
| if (res) { | ||
| res.end(responseMessages.join("")); |
Check warning
Code scanning / CodeQL
Exception text reinterpreted as HTML Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the problem, we need to ensure that any user-controlled data included in the HTML response is properly escaped to prevent XSS attacks. The best way to fix this is to use a library that provides HTML escaping functions. One such library is he (HTML entities), which can be used to escape any potentially dangerous characters in the error messages.
- Install the
helibrary. - Import the
helibrary in the file. - Use the
he.escapefunction to escape the error messages before including them in the HTML response.
Suggested changeset
2
insecure-js/server2.js
| @@ -11,2 +11,3 @@ | ||
| const path = require('path'); | ||
| const he = require('he'); | ||
|
|
||
| @@ -81,3 +82,3 @@ | ||
| console.error("SQL query error:", err); | ||
| responseMessages.push(`<p>An error occurred: ${err.message}</p>`); | ||
| responseMessages.push(`<p>An error occurred: ${he.escape(err.message)}</p>`); | ||
| } else { | ||
| @@ -96,3 +97,3 @@ | ||
| console.error("SQL query execution error:", error); | ||
| responseMessages.push(`<p>An unexpected error occurred: ${error.message}</p>`); | ||
| responseMessages.push(`<p>An unexpected error occurred: ${he.escape(error.message)}</p>`); | ||
| } |
insecure-js/package.json
Outside changed files
| @@ -13,3 +13,4 @@ | ||
| "sequelize": "4.44.1", | ||
| "sqlite3": "^5.0.2" | ||
| "sqlite3": "^5.0.2", | ||
| "he": "^1.2.0" | ||
| }, |
This fix introduces these dependencies
| Package | Version | Security advisories |
| he (npm) | 1.2.0 | None |
Copilot is powered by AI and may make mistakes. Always verify output.
| (async () => { | ||
| try { | ||
| const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber};`; | ||
| const result = await sequelize.query(query, { type: sequelize.QueryTypes.SELECT }); |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the problem, we should use parameterized queries to safely embed user input into the SQL query. This approach ensures that the user input is treated as a literal value and not as part of the SQL command, thus preventing SQL injection attacks.
In this specific case, we will modify the query construction to use Sequelize's query parameterization feature. This involves replacing the direct embedding of postData.orderNumber with a placeholder and passing the actual value as a parameter.
Suggested changeset
1
insecure-js/server2.js
| @@ -111,4 +111,7 @@ | ||
| try { | ||
| const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber};`; | ||
| const result = await sequelize.query(query, { type: sequelize.QueryTypes.SELECT }); | ||
| const query = `SELECT product FROM Orders WHERE orderNumber = :orderNumber;`; | ||
| const result = await sequelize.query(query, { | ||
| type: sequelize.QueryTypes.SELECT, | ||
| replacements: { orderNumber: postData.orderNumber } | ||
| }); | ||
| responseMessages[index] += result.length > 0 |
Copilot is powered by AI and may make mistakes. Always verify output.
| asyncTasks.push( | ||
| new Promise((resolve) => { | ||
| const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber2};`; | ||
| db.all(query, [], (err, rows) => { |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the SQL injection vulnerability, we should use parameterized queries to safely embed user input into the SQL query string. This approach ensures that user input is treated as a literal value and not as part of the SQL command, thus preventing SQL injection attacks.
In the provided code snippet, we need to modify the query construction on line 130 to use parameterized queries with the sqlite3 library. We will replace the direct embedding of postData.orderNumber2 with a placeholder and pass the user input as a parameter to the db.all method.
Suggested changeset
1
insecure-js/server2.js
| @@ -129,4 +129,4 @@ | ||
| new Promise((resolve) => { | ||
| const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber2};`; | ||
| db.all(query, [], (err, rows) => { | ||
| const query = `SELECT product FROM Orders WHERE orderNumber = ?;`; | ||
| db.all(query, [postData.orderNumber2], (err, rows) => { | ||
| if (err) { |
Copilot is powered by AI and may make mistakes. Always verify output.
| (async () => { | ||
| try { | ||
| const users = await User.findAll({ | ||
| where: sequelize.literal(`username = "${postData.username}"`), |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the problem, we should use parameterized queries or prepared statements to safely embed user input into the SQL query. This approach ensures that the user input is treated as a literal value and not as part of the SQL command, thus preventing SQL injection attacks.
In this specific case, we will modify the Sequelize findAll method to use query parameters instead of embedding the user input directly into the query string. This can be achieved by using the where clause with a parameterized query.
Suggested changeset
1
insecure-js/server2.js
| @@ -152,3 +152,3 @@ | ||
| const users = await User.findAll({ | ||
| where: sequelize.literal(`username = "${postData.username}"`), | ||
| where: { username: postData.username }, | ||
| }); |
Copilot is powered by AI and may make mistakes. Always verify output.
| asyncTasks.push( | ||
| (async () => { | ||
| try { | ||
| const compiled = _.template(postData.template); |
Check failure
Code scanning / CodeQL
Code injection Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the problem, we need to ensure that user input is properly sanitized or validated before being used in the _.template function. One way to achieve this is by using a whitelist approach, where only safe and predefined templates are allowed to be executed. Alternatively, we can escape any potentially dangerous characters in the user input to prevent code injection.
The best way to fix this issue without changing existing functionality is to escape the user input before passing it to the _.template function. We can use the _.escape function from Lodash to escape HTML entities in the user-provided template.
Suggested changeset
1
insecure-js/server2.js
| @@ -173,3 +173,4 @@ | ||
| try { | ||
| const compiled = _.template(postData.template); | ||
| const escapedTemplate = _.escape(postData.template); | ||
| const compiled = _.template(escapedTemplate); | ||
| const output = compiled({}); |
Copilot is powered by AI and may make mistakes. Always verify output.
|
|
||
| // Send combined response | ||
| res.writeHead(200, { 'Content-Type': 'text/html' }); | ||
| res.end(responseMessages.join('') + `<p><a href="/">Go back</a></p>`); |
Check warning
Code scanning / CodeQL
Exception text reinterpreted as HTML Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the problem, we need to ensure that any user input or error messages included in the HTML response are properly sanitized or escaped to prevent XSS attacks. The best way to achieve this is by using a library that provides HTML escaping functions.
- We will use the
helibrary, which is a robust HTML entity encoder/decoder. - We will replace the direct concatenation of user input and error messages with properly escaped versions using the
helibrary. - Specifically, we will modify the lines where user input and error messages are added to the
responseMessagesarray and where the final response is sent.
Suggested changeset
2
insecure-js/server2.js
| @@ -11,3 +11,3 @@ | ||
| const path = require('path'); | ||
|
|
||
| const he = require('he'); | ||
| // MySQL Connection Setup | ||
| @@ -70,3 +70,3 @@ | ||
| const SECRET_KEY = process.env.SECRET_KEY || 'PLACEHOLDER_SECRET_KEY'; | ||
| responseMessages.push(`<p>Current Secret Key: ${SECRET_KEY}</p>`); | ||
| responseMessages.push(`<p>Current Secret Key: ${he.encode(SECRET_KEY)}</p>`); | ||
|
|
||
| @@ -76,3 +76,3 @@ | ||
| const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber3};`; | ||
| responseMessages.push(`<p>Executing SQL query: ${query}</p>`); | ||
| responseMessages.push(`<p>Executing SQL query: ${he.encode(query)}</p>`); | ||
|
|
||
| @@ -81,8 +81,8 @@ | ||
| console.error("SQL query error:", err); | ||
| responseMessages.push(`<p>An error occurred: ${err.message}</p>`); | ||
| responseMessages.push(`<p>An error occurred: ${he.encode(err.message)}</p>`); | ||
| } else { | ||
| if (rows.length > 0) { | ||
| responseMessages.push(`<p>Order details (Product only):</p><pre>${JSON.stringify(rows, null, 2)}</pre>`); | ||
| responseMessages.push(`<p>Order details (Product only):</p><pre>${he.encode(JSON.stringify(rows, null, 2))}</pre>`); | ||
| } else { | ||
| responseMessages.push(`<p>No orders found with order number ${postData.orderNumber3}</p>`); | ||
| responseMessages.push(`<p>No orders found with order number ${he.encode(postData.orderNumber3)}</p>`); | ||
| } | ||
| @@ -96,3 +96,3 @@ | ||
| console.error("SQL query execution error:", error); | ||
| responseMessages.push(`<p>An unexpected error occurred: ${error.message}</p>`); | ||
| responseMessages.push(`<p>An unexpected error occurred: ${he.encode(error.message)}</p>`); | ||
| } | ||
| @@ -211,3 +211,3 @@ | ||
| const jqueryCode = `<script src="${postData.jqueryUrl}"></script>`; | ||
| responseMessages[index] += `<p>jQuery was loaded from user-provided URL:</p><pre>${jqueryCode}</pre>`; | ||
| responseMessages[index] += `<p>jQuery was loaded from user-provided URL:</p><pre>${he.encode(jqueryCode)}</pre>`; | ||
| })() | ||
| @@ -221,3 +221,3 @@ | ||
| res.writeHead(200, { 'Content-Type': 'text/html' }); | ||
| res.end(responseMessages.join('') + `<p><a href="https://github.com/">Go back</a></p>`); | ||
| res.end(he.encode(responseMessages.join('')) + `<p><a href="https://github.com/">Go back</a></p>`); | ||
| } catch (error) { |
insecure-js/package.json
Outside changed files
| @@ -13,3 +13,4 @@ | ||
| "sequelize": "4.44.1", | ||
| "sqlite3": "^5.0.2" | ||
| "sqlite3": "^5.0.2", | ||
| "he": "^1.2.0" | ||
| }, |
This fix introduces these dependencies
| Package | Version | Security advisories |
| he (npm) | 1.2.0 | None |
Copilot is powered by AI and may make mistakes. Always verify output.
![semgrep-code-latiotech[bot]](https://avatars.githubusercontent.com/u/104798912?s=60&v=4){kind=small}
| asyncTasks.push( | ||
| (async () => { | ||
| try { | ||
| const parsedObject = JSON5.parse(postData.json5data); |
There was a problem hiding this comment.
Risk: The parse method of the JSON5 library before and including version 2.2.1 does not restrict parsing of keys named proto, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.
Fix: Upgrade this library to at least version 2.2.2 at insecure-kubernetes-deployments/insecure-js/package-lock.json:1076.
Reference(s): GHSA-9c47-m6qq-7p4h, CVE-2022-46175
💬 To ignore this, reply with:
• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssc-9573292b-0077-44a6-b92f-3111f0ffbaca.
| asyncTasks.push( | ||
| (async () => { | ||
| try { | ||
| const compiled = _.template(postData.template); |
There was a problem hiding this comment.
Risk: lodash versions prior to 4.17.21 (or lodash.template version 4.6.2) are vulnerable to Command Injection via the template function. Please remediate by updating to version 4.17.21 (or 4.6.2). GHSA-35jh-r3h4-6jhm
Fix: Upgrade this library to at least version 4.17.21 at insecure-kubernetes-deployments/insecure-js/package-lock.json:1087.
Reference(s): GHSA-35jh-r3h4-6jhm, CVE-2021-23337
💬 To ignore this, reply with:
• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssc-c6bc1896-7044-4b22-b31a-753d52070423.
| asyncTasks.push( | ||
| (async () => { | ||
| try { | ||
| const compiled = _.template(postData.template); |
There was a problem hiding this comment.
Risk: lodash 4.17.x before 4.17.12, lodash.defaultsdeep 4.6.x before 4.6.1, lodash.mergewith 4.6.x before 4.6.2, lodash.merge 4.6.x before 4.6.2, and lodash.template 4.5.x before 4.5.0 are vulnerable to improper input validation. Several lodash methods unsafely perform object merges, allowing user input to override object prototypes. Upgrade to lodash 4.17.12, lodash.defaultsdeep 4.6.1, lodash.mergewith 4.6.2, lodash.merge 4.6.2, or lodash.template 4.5.0.
Fix: Upgrade this library to at least version 4.17.12 at insecure-kubernetes-deployments/insecure-js/package-lock.json:1087.
Reference(s): GHSA-jf85-cpcp-j695, CVE-2019-10744
💬 To ignore this, reply with:
• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssc-a4fd0e64-ce76-449c-8e09-743db9edce4e.
![jit-ci[bot]](https://avatars.githubusercontent.com/in/142441?s=60&v=4){kind=small}
There was a problem hiding this comment.
❌ Jit has detected 24 important findings in this PR that you should review.
The first 10 findings are detailed below as separate comments.
Click here to view all the findings on Jit.
It’s highly recommended that you fix these security issues before merging.
Alternatively, comment #jit_ignore_all in this PR to ignore all findings. Admin privileges required.
| const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber3};`; | ||
| responseMessages.push(`<p>Executing SQL query: ${query}</p>`); | ||
|
|
||
| connection.query(query, (err, rows) => { |
There was a problem hiding this comment.
Security control: Static Code Analysis Js
Sql Injection Via Untrusted Function Argument In Node Mysql Queries
Detected a mysql2 SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "SQL Injection via Untrusted Function Argument in Node MySQL Queries" in insecure-js/server2.js; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| (async () => { | ||
| try { | ||
| const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber};`; | ||
| const result = await sequelize.query(query, { type: sequelize.QueryTypes.SELECT }); |
There was a problem hiding this comment.
Security control: Static Code Analysis Js
Sql Injection Via Untrusted Function Argument In Node Mysql Queries
Detected a mysql2 SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "SQL Injection via Untrusted Function Argument in Node MySQL Queries" in insecure-js/server2.js; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| try: | ||
| # Use lxml to parse the XML data | ||
| parser = etree.XMLParser(load_dtd=True, resolve_entities=True) | ||
| tree = etree.fromstring(xml_data.encode(), parser) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Potential Xxe Vulnerability With Native Python Xml Libraries
Found use of the native Python XML libraries, which is vulnerable to XML external entity (XXE)
attacks. The Python documentation recommends the 'defusedxml' library instead. Use 'defusedxml'.
See https://github.com/tiran/defusedxml for more information.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Potential XXE vulnerability with native Python XML libraries" in insecure-app/app2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| username = '' | ||
| password = '' | ||
| try: | ||
| cursor.execute("SELECT * FROM users WHERE username = '%s' AND password = '%s'" % (username, password)) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Sqlalchemy Raw Sql Query Concatenation Risks Sql Injection
Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "SQLAlchemy raw SQL query concatenation risks SQL Injection" in insecure-app/app2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| cursor = conn.cursor() | ||
| try: | ||
| sql_query = f"SELECT * FROM tiles WHERE title = '{query}'" | ||
| cursor.execute(sql_query) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Sqlalchemy Raw Sql Query Concatenation Risks Sql Injection
Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "SQLAlchemy raw SQL query concatenation risks SQL Injection" in insecure-api/main.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| elif 'url' in request.form: | ||
| url = request.form['url'] | ||
| try: | ||
| response = requests.get(url) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Potential Ssrf With Request Data In Server-Side Requests
Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Potential SSRF with request data in server-side requests" in insecure-app/app2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| elif 'url' in request.form: | ||
| url = request.form['url'] | ||
| try: | ||
| response = requests.get(url) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Server-Side Request Forgery (Ssrf) Risk With User Data In Requests In Django
Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
This remediation will modify the vulnerable request call in your code to validate the target URL before making a request. This helps prevent server-side request forgery (SSRF) attacks by ensuring that only allowed URLs are used.
Suggested change
| response = requests.get(url) | |
| response = requests.get(urlget.lower() in ['get', 'post'] and ensure_allowed_url() |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "Server-Side Request Forgery (SSRF) risk with user data in requests in Django" in insecure-app/app2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| # 2 - Command Injection | ||
| if 'command' in request.form: | ||
| cmd = request.form['command'] | ||
| process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
User Data In Subprocess Function Risks Command Injection Vulnerability
Detected subprocess function 'Popen' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "User data in subprocess function risks command injection vulnerability" in insecure-app/app2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| cursor = conn.cursor() | ||
| try: | ||
| sql_query = f"SELECT * FROM video_games WHERE title = '{query}'" | ||
| cursor.execute(sql_query) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Sqlalchemy Raw Sql Query Concatenation Risks Sql Injection
Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "SQLAlchemy raw SQL query concatenation risks SQL Injection" in insecure-api/main-2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) | ||
| cursor.execute(query) |
There was a problem hiding this comment.
Security control: Static Code Analysis Python Semgrep
Sqlalchemy Raw Sql Query Concatenation Risks Sql Injection
Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_ignore_type_in_fileIgnore any finding of type "SQLAlchemy raw SQL query concatenation risks SQL Injection" in insecure-app/app2.py; future occurrences will also be ignored.#jit_undo_ignoreUndo ignore command
| metadata: | ||
| labels: | ||
| app: {{ .Values.insecureApp.appName }} | ||
| spec: |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a securityContext to the container, with the parameter runAsNonRoot set to true. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a securityContext to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.
To resolve this comment:
💡 Follow autofix suggestion
Suggested change
| spec: | |
| spec: | |
| securityContext: | |
| runAsNonRoot: true #: |
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-as-non-root.
You can view more details about this finding in the Semgrep AppSec Platform.
Comment on lines
+100
to
+165
| return render_template_string(""" | ||
| <h1>Intentionally Insecure App</h1> | ||
| <hr> | ||
| <!-- Command Injection --> | ||
| <form action="/" method="post"> | ||
| <h2>Command Injection</h2> | ||
| <input type="text" name="command" value="ls -la"> | ||
| <input type="submit" value="Run"> | ||
| </form> | ||
| <br> | ||
| <!-- File Upload --> | ||
| <form action="/" method="post" enctype="multipart/form-data"> | ||
| <h2>Path Traversal via File Upload</h2> | ||
| <input type="file" name="file"> | ||
| <input type="submit" value="Upload"> | ||
| </form> | ||
| <p>Try uploading a file named: <code>../../../../etc/passwd</code></p> | ||
| <br> | ||
| <!-- SQL Injection --> | ||
| <form action="/" method="post"> | ||
| <h2>SQL Injection</h2> | ||
| <input type="text" name="sql" value="SELECT * FROM users WHERE username = 'admin' OR '1'='1'"> | ||
| <input type="submit" value="Run"> | ||
| </form> | ||
| <br> | ||
| <!-- Cross-Site Scripting (XSS) --> | ||
| <form action="/" method="post"> | ||
| Enter XSS payload: <input type="text" name="xss" value="<script>alert('XSS');</script>"> | ||
| <input type="submit" value="Run"> | ||
| </form> | ||
| <br> | ||
| <!-- XML External Entity (XXE) Injection --> | ||
| <form action="/" method="post"> | ||
| <h2>XML External Entity (XXE) Injection</h2> | ||
| <textarea name="xml" rows="5" cols="50"> | ||
| <?xml version="1.0"?> | ||
| <!DOCTYPE root [ | ||
| <!ENTITY xxe SYSTEM "file:///etc/passwd"> | ||
| ]> | ||
| <root>&xxe;</root> | ||
| </textarea> | ||
| <input type="submit" value="Parse XML"> | ||
| </form> | ||
| <br> | ||
| <!-- Server-Side Request Forgery (SSRF) --> | ||
| <form action="/" method="post"> | ||
| <h2>Server-Side Request Forgery (SSRF)</h2> | ||
| <input type="text" name="url" value="http://localhost:8080/"> | ||
| <input type="submit" value="Request"> | ||
| </form> | ||
| <br> | ||
| <!-- SQL Injection 2 --> | ||
| <h2>SQL Injection 2</h2> | ||
| <form action="/" method="post"> | ||
| Enter Username: <input type="text" name="username" value="' UNION SELECT username || ' : ' || password FROM users --"> | ||
| <input type="submit" value="Lookup"> | ||
| </form> | ||
| <hr> | ||
| <pre>{{ output|safe }}</pre> | ||
| """, output=output) |
There was a problem hiding this comment.
Semgrep identified an issue, but thinks it may be safe to ignore.
Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.
Why this might be safe to ignore:
The matched code is part of an intentionally insecure application, likely for educational or testing purposes. The use of 'render_template_string' here is deliberate to demonstrate vulnerabilities, and not a security risk in a production context.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by render-template-string.
You can view more details about this finding in the Semgrep AppSec Platform.
| @app.get("/redirect") | ||
| def unsafe_redirect(next: str): | ||
| # Vulnerability: Unvalidated redirect (API10:2019 - Unsafe Consumption of APIs) | ||
| return RedirectResponse(url=next) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-api/main-2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-api/main-2.py#L212 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 212] next</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-api/main-2.py#L212 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 212] next</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-api/main-2.py#L214 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 214] next</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-redirect-fastapi.
You can view more details about this finding in the Semgrep AppSec Platform.
| kind: Pod | ||
| metadata: | ||
| name: s-5 | ||
| spec: |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a securityContext to the container, with the parameter runAsNonRoot set to true. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a securityContext to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.
To resolve this comment:
💡 Follow autofix suggestion
Suggested change
| spec: | |
| spec: | |
| securityContext: | |
| runAsNonRoot: true #: |
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-as-non-root.
You can view more details about this finding in the Semgrep AppSec Platform.
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) | ||
| cursor.execute(query) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by sqlalchemy-execute-raw-query.
You can view more details about this finding in the Semgrep AppSec Platform.
| cursor = conn.cursor() | ||
| try: | ||
| sql_query = f"SELECT * FROM video_games WHERE title = '{query}'" | ||
| cursor.execute(sql_query) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.
To resolve this comment:
✨ Commit Assistant fix suggestion
Suggested change
| cursor.execute(sql_query) | |
| sql_query = "SELECT * FROM video_games WHERE title = ?" | |
| cursor.execute(sql_query, (query,)) |
View step-by-step instructions
- Change the SQL query to use parameterized queries to prevent SQL injection. Replace the line
sql_query = f"SELECT * FROM video_games WHERE title = '{query}'"withsql_query = "SELECT * FROM video_games WHERE title = ?". - Pass the
queryparameter as a tuple to theexecutemethod. Update thecursor.execute(sql_query)line tocursor.execute(sql_query, (query,)).
This change uses SQLite's parameterized query feature, which automatically handles escaping and prevents SQL injection attacks.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by sqlalchemy-execute-raw-query.
You can view more details about this finding in the Semgrep AppSec Platform.
| username = request.form['username'] | ||
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] request.form</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] username</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L90 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 90] "SELECT password FROM users WHERE username = '{}'".format(username)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-sql-string.
You can view more details about this finding in the Semgrep AppSec Platform.
| # 2 - Command Injection | ||
| if 'command' in request.form: | ||
| cmd = request.form['command'] | ||
| process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L30 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 30] request.form['command']</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L30 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 30] cmd</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L31 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 31] cmd</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-os-command-stdlib-flask-secure-if-array.
You can view more details about this finding in the Semgrep AppSec Platform.
| @PostMapping("/unsafeDeserialize") | ||
| public ResponseEntity<String> unsafeDeserialization(@RequestBody byte[] data) { | ||
| try { | ||
| ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data)); |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: Deserialization prevention We do not recommend deserializing untrusted data with the ObjectInputStream. If you must, you can try overriding the ObjectInputStream#resolveClass() method or using a safe replacement for the generic readObject() method.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-java/src/main/java/com/example/insecurejava/unsafe2.java.java</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-java/src/main/java/com/example/insecurejava/unsafe2.java.java#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] data</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-java/src/main/java/com/example/insecurejava/unsafe2.java.java#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] data</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-java/src/main/java/com/example/insecurejava/unsafe2.java.java#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] new ByteArrayInputStream(data)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by objectinputstream-deserialization-spring.
You can view more details about this finding in the Semgrep AppSec Platform.
| # 2 - Command Injection | ||
| if 'command' in request.form: | ||
| cmd = request.form['command'] | ||
| process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected subprocess function 'Popen' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L30 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 30] request.form['command']</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L30 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 30] cmd</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L31 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 31] cmd</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
✨ Commit Assistant fix suggestion
Suggested change
| process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) | |
| import shlex # Add this import at the top of your file | |
| # ... | |
| if request.method == 'POST': | |
| # 2 - Command Injection | |
| if 'command' in request.form: | |
| cmd = shlex.split(request.form['command']) # Use shlex.split to safely parse the command | |
| process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) # Remove shell=True | |
| stdout, stderr = process.communicate() | |
| if process.returncode == 0: | |
| output = stdout.decode('utf-8') | |
| else: | |
| output = f"Error (Exit Code: {process.returncode}):\n{stderr.decode('utf-8')}" |
View step-by-step instructions
- Import the
shlexmodule at the top of your file withimport shlex. - Replace the line
cmd = request.form['command']withcmd = shlex.split(request.form['command']). This will safely parse the command string into a list of arguments. - Update the
subprocess.Popencall to remove theshell=Trueargument. This means changingsubprocess.Popen(cmd, shell=True, ...)tosubprocess.Popen(cmd, ...).
By using shlex.split, you ensure that the command is parsed safely, preventing command injection vulnerabilities. Removing shell=True further mitigates the risk by avoiding the shell's interpretation of the command.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by dangerous-subprocess-use.
You can view more details about this finding in the Semgrep AppSec Platform.
| # 2 - Command Injection | ||
| if 'command' in request.form: | ||
| cmd = request.form['command'] | ||
| process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Found 'subprocess' function 'Popen' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.
To resolve this comment:
✨ Commit Assistant fix suggestion
Suggested change
| process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) | |
| process = subprocess.Popen(cmd, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
View step-by-step instructions
- Change the
shell=Trueargument toshell=Falsein thesubprocess.Popencall. - Modify the
cmdvariable to be a list of command arguments instead of a single string. For example, ifcmdis a command like"ls -l", change it to["ls", "-l"]. - Ensure that any user input included in the command is properly sanitized or validated to prevent command injection. For example, if
cmdincludes user input, validate that input against a whitelist of allowed commands or arguments. - Update the
subprocess.Popencall to use the modifiedcmdlist. The call should look likesubprocess.Popen(cmd, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE).
This change prevents the command from being executed in a shell, reducing the risk of shell injection vulnerabilities.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by subprocess-shell-true.
You can view more details about this finding in the Semgrep AppSec Platform.
| (async () => { | ||
| try { | ||
| const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber};`; | ||
| const result = await sequelize.query(query, { type: sequelize.QueryTypes.SELECT }); |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected a mysql2 SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-js/server2.js</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] chunk</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] body</a>"]
v3["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] body</a>"]
v4["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-js/server2.js#L50 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 50] postData</a>"]
v5["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-js/server2.js#L112 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 112] query</a>"]
end
v2 --> v3
v3 --> v4
v4 --> v5
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-js/server2.js#L113 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 113] query</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by node-mysql-sqli.
You can view more details about this finding in the Semgrep AppSec Platform.
| @@ -0,0 +1 @@ | |||
| {"version":"1.99.0","results":[{"check_id":"dockerfile.security.missing-user.missing-user","path":"insecure-api/Dockerfile","start":{"line":21,"col":1,"offset":515},"end":{"line":21,"col":67,"offset":581},"extra":{"metavars":{"$...VARS":{"start":{"line":21,"col":5,"offset":519},"end":{"line":21,"col":67,"offset":581},"abstract_content":"[\"uvicorn\"\"main:app\"\"--host\"\"0.0.0.0\"\"--port\"\"8000\"]"}},"message":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.","fix":"USER non-root\nCMD [\"uvicorn\", \"main:app\", \"--host\", \"0.0.0.0\", \"--port\", \"8000\"]","metadata":{"cwe":["CWE-269: Improper Privilege Management"],"category":"security","technology":["dockerfile"],"confidence":"MEDIUM","owasp":["A04:2021 - Insecure Design"],"references":["https://owasp.org/Top10/A04_2021-Insecure_Design"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","shortlink":"https://sg.run/Gbvn","semgrep.dev":{"rule":{"origin":"community","r_id":20148,"rule_id":"AbUN06","rv_id":945269,"url":"https://semgrep.dev/playground/r/qkT4j4L/dockerfile.security.missing-user.missing-user","version_id":"qkT4j4L"}}},"severity":"ERROR","fingerprint":"25f3812a6390e38eca84b059a4836996e8a499976b2733ecfc3a15af0e3ab8a06edab7651035844e2cbce09e1a8b7b31970a2d7c3e4bc873153beabc64fa5610_0","lines":"CMD [\"uvicorn\", \"main:app\", \"--host\", \"0.0.0.0\", \"--port\", \"8000\"]","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","path":"insecure-api/main.py","start":{"line":119,"col":9,"offset":4547},"end":{"line":119,"col":34,"offset":4572},"extra":{"metavars":{"$X":{"start":{"line":118,"col":65,"offset":4530},"end":{"line":118,"col":70,"offset":4535},"abstract_content":"query"},"$DB":{"start":{"line":119,"col":9,"offset":4547},"end":{"line":119,"col":15,"offset":4553},"abstract_content":"cursor","propagated_value":{"svalue_start":{"line":116,"col":14,"offset":4443},"svalue_end":{"line":116,"col":27,"offset":4456},"svalue_abstract_content":"conn.cursor()"}},"$SQL":{"start":{"line":119,"col":24,"offset":4562},"end":{"line":119,"col":33,"offset":4571},"abstract_content":"sql_query","propagated_value":{"svalue_start":{"line":118,"col":21,"offset":4486},"svalue_end":{"line":118,"col":73,"offset":4538},"svalue_abstract_content":"f\"SELECT * FROM video_games WHERE title = '{query}'\""}}},"message":"Detected possible formatted SQL query. Use parameterized queries instead.","metadata":{"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"references":["https://stackoverflow.com/questions/775296/mysql-parameterized-queries"],"category":"security","technology":["python"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query","shortlink":"https://sg.run/EkWw","semgrep.dev":{"rule":{"origin":"community","r_id":9637,"rule_id":"3qUP9k","rv_id":946343,"url":"https://semgrep.dev/playground/r/e1T98KK/python.lang.security.audit.formatted-sql-query.formatted-sql-query","version_id":"e1T98KK"}}},"severity":"WARNING","fingerprint":"c84a51a76657aa903cb26be4bb0a60c776dad0b186e5cfeca8de49b1100d223a0079207827b48de997c97f92526ec0509bfe21c3587dda43bb2ffd3dc27a7a59_0","lines":" cursor.execute(sql_query)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","path":"insecure-api/main.py","start":{"line":119,"col":9,"offset":4547},"end":{"line":119,"col":34,"offset":4572},"extra":{"metavars":{"$CONNECTION":{"start":{"line":119,"col":9,"offset":4547},"end":{"line":119,"col":15,"offset":4553},"abstract_content":"cursor","propagated_value":{"svalue_start":{"line":116,"col":14,"offset":4443},"svalue_end":{"line":116,"col":27,"offset":4456},"svalue_abstract_content":"conn.cursor()"}},"$QUERY":{"start":{"line":119,"col":24,"offset":4562},"end":{"line":119,"col":33,"offset":4571},"abstract_content":"sql_query","propagated_value":{"svalue_start":{"line":118,"col":21,"offset":4486},"svalue_end":{"line":118,"col":73,"offset":4538},"svalue_abstract_content":"f\"SELECT * FROM video_games WHERE title = '{query}'\""}}},"message":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.","metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql","https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm","https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column"],"category":"security","technology":["sqlalchemy"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","shortlink":"https://sg.run/2b1L","semgrep.dev":{"rule":{"origin":"community","r_id":10563,"rule_id":"oqUz5y","rv_id":946452,"url":"https://semgrep.dev/playground/r/8KTKj19/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","version_id":"8KTKj19"}}},"severity":"ERROR","fingerprint":"d66c7cd53b2919cf51e6625ae54a536489fdd8ea3ee6330b5a0fb2fd8bde2c819a5bc02728be7489ec513a519455c15b9c01ad0b3f43db19902a99f6220b7dfe_0","lines":" cursor.execute(sql_query)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.security.injection.ssrf-requests.ssrf-requests","path":"insecure-api/main.py","start":{"line":205,"col":20,"offset":8279},"end":{"line":205,"col":37,"offset":8296},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":4,"offset":3},"abstract_content":"get"},"$APP":{"start":{"line":201,"col":2,"offset":8108},"end":{"line":201,"col":5,"offset":8111},"abstract_content":"app"},"$ROUTE_METHOD":{"start":{"line":201,"col":6,"offset":8112},"end":{"line":201,"col":9,"offset":8115},"abstract_content":"get"},"$ROUTE":{"start":{"line":201,"col":10,"offset":8116},"end":{"line":201,"col":22,"offset":8128},"abstract_content":"\"/fetch_url\""},"$ROUTE_FUNC":{"start":{"line":202,"col":5,"offset":8134},"end":{"line":202,"col":22,"offset":8151},"abstract_content":"fetch_url_content"},"$ROUTEVAR":{"start":{"line":202,"col":23,"offset":8152},"end":{"line":202,"col":26,"offset":8155},"abstract_content":"url"},"$FUNC":{"start":{"line":205,"col":29,"offset":8288},"end":{"line":205,"col":32,"offset":8291},"abstract_content":"get"}},"message":"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.","metadata":{"cwe":["CWE-918: Server-Side Request Forgery (SSRF)"],"owasp":["A10:2021 - Server-Side Request Forgery (SSRF)"],"references":["https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"],"category":"security","technology":["flask"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Server-Side Request Forgery (SSRF)"],"source":"https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests","shortlink":"https://sg.run/J9LW","semgrep.dev":{"rule":{"origin":"community","r_id":9546,"rule_id":"WAUoRx","rv_id":946226,"url":"https://semgrep.dev/playground/r/o5TZe8r/python.flask.security.injection.ssrf-requests.ssrf-requests","version_id":"o5TZe8r"}}},"severity":"ERROR","fingerprint":"9e243fdc21bcced9424a80b9158edd83090c25b66dceae7cd494643a58b03a05f86accfcec4bc79b0255a5401dee3d746946ab804283eed20604266d0e5dd9a0_0","lines":" response = requests.get(url)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"dockerfile.security.missing-user.missing-user","path":"insecure-app/Dockerfile","start":{"line":34,"col":1,"offset":1048},"end":{"line":34,"col":31,"offset":1078},"extra":{"metavars":{"$...VARS":{"start":{"line":34,"col":5,"offset":1052},"end":{"line":34,"col":31,"offset":1078},"abstract_content":"[\"python3\"\"/app/app.py\"]"}},"message":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.","fix":"USER non-root\nCMD [\"python3\", \"/app/app.py\"]","metadata":{"cwe":["CWE-269: Improper Privilege Management"],"category":"security","technology":["dockerfile"],"confidence":"MEDIUM","owasp":["A04:2021 - Insecure Design"],"references":["https://owasp.org/Top10/A04_2021-Insecure_Design"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","shortlink":"https://sg.run/Gbvn","semgrep.dev":{"rule":{"origin":"community","r_id":20148,"rule_id":"AbUN06","rv_id":945269,"url":"https://semgrep.dev/playground/r/qkT4j4L/dockerfile.security.missing-user.missing-user","version_id":"qkT4j4L"}}},"severity":"ERROR","fingerprint":"af5e9dedee89e966f4a977ada65c8cf6eddc2c5c8bd31c9d5e6ade032a2f62b150ebe50e2f3aa6796806d4881ee2ded63e7cdf7b427f3a98e24a6dde432ad2ef_0","lines":"CMD [\"python3\", \"/app/app.py\"]","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","path":"insecure-app/app.py","start":{"line":9,"col":22,"offset":231},"end":{"line":9,"col":42,"offset":251},"extra":{"metavars":{"$1":{"start":{"line":9,"col":22,"offset":231},"end":{"line":9,"col":26,"offset":235},"abstract_content":"AKIA"}},"message":"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"source-rule-url":"https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go","category":"security","technology":["secrets","aws"],"confidence":"LOW","owasp":["A07:2021 - Identification and Authentication Failures"],"references":["https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","shortlink":"https://sg.run/GeD1","semgrep.dev":{"rule":{"origin":"community","r_id":9048,"rule_id":"oqUevO","rv_id":945484,"url":"https://semgrep.dev/playground/r/rxT6rnL/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","version_id":"rxT6rnL"}}},"severity":"ERROR","fingerprint":"892f89afd53ea85da48c96befb7a856343567d35c775f901480c221b6b048d9ece1928a7cceeedc1d30e8d7c762a4c2f7730d46151e699a477824161b3859c88_0","lines":"aws_access_key_id = 'AKIA2JAPX77RGLB664VE'","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","path":"insecure-app/app.py","start":{"line":10,"col":1,"offset":253},"end":{"line":10,"col":56,"offset":308},"extra":{"metavars":{"$3":{"start":{"line":10,"col":1,"offset":253},"end":{"line":10,"col":4,"offset":256},"abstract_content":"aws"},"$1":{"start":{"line":10,"col":1,"offset":253},"end":{"line":10,"col":56,"offset":308},"abstract_content":"aws_secret = 'v5xpjkWYoy45fGKFSMajSn+sqs22WI2niacX9yO5'"},"$4":{"start":{"line":10,"col":5,"offset":257},"end":{"line":10,"col":11,"offset":263},"abstract_content":"secret"},"$6":{"start":{"line":10,"col":12,"offset":264},"end":{"line":10,"col":13,"offset":265},"abstract_content":"="},"$7":{"start":{"line":10,"col":14,"offset":266},"end":{"line":10,"col":15,"offset":267},"abstract_content":"'"},"$8":{"start":{"line":10,"col":55,"offset":307},"end":{"line":10,"col":56,"offset":308},"abstract_content":"'"}},"message":"AWS Secret Access Key detected","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"source-rule-url":"https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go","category":"security","technology":["secrets","aws"],"confidence":"LOW","owasp":["A07:2021 - Identification and Authentication Failures"],"references":["https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","shortlink":"https://sg.run/Bk39","semgrep.dev":{"rule":{"origin":"community","r_id":9051,"rule_id":"2ZUbe8","rv_id":945487,"url":"https://semgrep.dev/playground/r/kbTYkWD/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","version_id":"kbTYkWD"}}},"severity":"ERROR","fingerprint":"13e25a7e818f3f0cd4c3ad50c3011eb98a0974336fb4790385234062c218c6931f0323eb80fe101996bebcadbae4de0f7ee5fc03f90632544d2c701619374ab0_0","lines":"aws_secret = 'v5xpjkWYoy45fGKFSMajSn+sqs22WI2niacX9yO5'","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","path":"insecure-app/app.py","start":{"line":23,"col":9,"offset":545},"end":{"line":23,"col":111,"offset":647},"extra":{"metavars":{"$DB":{"start":{"line":23,"col":9,"offset":545},"end":{"line":23,"col":15,"offset":551},"abstract_content":"cursor","propagated_value":{"svalue_start":{"line":19,"col":14,"offset":480},"svalue_end":{"line":19,"col":25,"offset":491},"svalue_abstract_content":"db.cursor()"}}},"message":"Detected possible formatted SQL query. Use parameterized queries instead.","metadata":{"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"references":["https://stackoverflow.com/questions/775296/mysql-parameterized-queries"],"category":"security","technology":["python"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query","shortlink":"https://sg.run/EkWw","semgrep.dev":{"rule":{"origin":"community","r_id":9637,"rule_id":"3qUP9k","rv_id":946343,"url":"https://semgrep.dev/playground/r/e1T98KK/python.lang.security.audit.formatted-sql-query.formatted-sql-query","version_id":"e1T98KK"}}},"severity":"WARNING","fingerprint":"bd3ed91c83ee049b51adf30ea5466f1461a8ff279db4115fdc50481292f4bd5a7eb1d0a541c81817dcba1091d202020a2ad429adad88ba47bf95ae3de09dc82e_0","lines":" cursor.execute(\"SELECT * FROM users WHERE username = '%s' AND password = '%s'\" % (username, password))","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","path":"insecure-app/app.py","start":{"line":23,"col":9,"offset":545},"end":{"line":23,"col":111,"offset":647},"extra":{"metavars":{"$CONNECTION":{"start":{"line":23,"col":9,"offset":545},"end":{"line":23,"col":15,"offset":551},"abstract_content":"cursor","propagated_value":{"svalue_start":{"line":19,"col":14,"offset":480},"svalue_end":{"line":19,"col":25,"offset":491},"svalue_abstract_content":"db.cursor()"}},"$SQL":{"start":{"line":23,"col":24,"offset":560},"end":{"line":23,"col":87,"offset":623},"abstract_content":"\"SELECT * FROM users WHERE username = '%s' AND password = '%s'\""}},"message":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.","metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql","https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm","https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column"],"category":"security","technology":["sqlalchemy"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","shortlink":"https://sg.run/2b1L","semgrep.dev":{"rule":{"origin":"community","r_id":10563,"rule_id":"oqUz5y","rv_id":946452,"url":"https://semgrep.dev/playground/r/8KTKj19/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","version_id":"8KTKj19"}}},"severity":"ERROR","fingerprint":"1fb224609ca4d43b11a045658892258157b1de945c0814280f9f46badbd9f5400b93a2859da72a325226c083771a13fcd20474bff7e1efb084d3f2c0d8debc09_0","lines":" cursor.execute(\"SELECT * FROM users WHERE username = '%s' AND password = '%s'\" % (username, password))","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.security.injection.subprocess-injection.subprocess-injection","path":"insecure-app/app.py","start":{"line":31,"col":23,"offset":841},"end":{"line":31,"col":104,"offset":922},"extra":{"metavars":{"$FUNC":{"start":{"line":31,"col":34,"offset":852},"end":{"line":31,"col":39,"offset":857},"abstract_content":"Popen"}},"message":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.","metadata":{"category":"security","technology":["flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"references":["https://semgrep.dev/docs/cheat-sheets/python-command-injection/"],"confidence":"HIGH","cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Command Injection"],"source":"https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection","shortlink":"https://sg.run/5gW3","semgrep.dev":{"rule":{"origin":"community","r_id":31147,"rule_id":"8GU3qp","rv_id":946227,"url":"https://semgrep.dev/playground/r/zyTlk7Y/python.flask.security.injection.subprocess-injection.subprocess-injection","version_id":"zyTlk7Y"}}},"severity":"ERROR","fingerprint":"3c4c4959625cb597aa8cf78e5feb44e5b02a16808ab6755551da9a678a7d7b2fb68b312e92a7f8368402331a094719ba4a2599894b5384ffd4d059c82b08374f_0","lines":" process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":30,"col":19,"offset":795},"end":{"line":30,"col":42,"offset":818}},"request.form['command']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":30,"col":13,"offset":789},"end":{"line":30,"col":16,"offset":792}},"content":"cmd"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":31,"col":23,"offset":841},"end":{"line":31,"col":104,"offset":922}},"subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)"]]},"engine_kind":"OSS"}},{"check_id":"python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","path":"insecure-app/app.py","start":{"line":31,"col":40,"offset":858},"end":{"line":31,"col":43,"offset":861},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":30,"col":27,"offset":803},"end":{"line":30,"col":31,"offset":807},"abstract_content":"form"},"$SINK":{"start":{"line":31,"col":40,"offset":858},"end":{"line":31,"col":43,"offset":861},"abstract_content":"cmd","propagated_value":{"svalue_start":{"line":30,"col":19,"offset":795},"svalue_end":{"line":30,"col":42,"offset":818},"svalue_abstract_content":"request.form['command']"}}},"message":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.","metadata":{"likelihood":"MEDIUM","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"OS Command Injection with Flask","functional-categories":["os::sink::os-command-or-thread::commands","os::sink::os-command-or-thread::os","os::sink::os-command-or-thread::popen2","os::sink::os-command-or-thread::stdlib","os::sink::os-command-or-thread::stdlib2","os::sink::os-command-or-thread::stdlib3","os::sink::os-command-or-thread::subprocess","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.python.org/3/library/os.html","https://docs.python.org/3/library/subprocess.html#subprocess.Popen","https://owasp.org/Top10/A03_2021-Injection","https://semgrep.dev/docs/cheat-sheets/python-command-injection/","https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html"],"technology":["commands","flask","flask-wtf","os","popen2","stdlib","stdlib2","stdlib3","subprocess","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Command Injection"],"source":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","shortlink":"https://sg.run/bwjrP","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":139670,"rule_id":"PeUJ9BR","rv_id":947955,"url":"https://semgrep.dev/playground/r/kbTYREe/python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","version_id":"kbTYREe"}}},"severity":"ERROR","fingerprint":"11ab4317b1cc9c256e619e6eca976181caf7c7671e75dde752d0e6b5191147c9ee4983369ccb7414b693729c0b958333f0472b9b723e59e30443c9b145f7e7e8_0","lines":" process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":30,"col":19,"offset":795},"end":{"line":30,"col":42,"offset":818}},"request.form['command']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":30,"col":13,"offset":789},"end":{"line":30,"col":16,"offset":792}},"content":"cmd"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":31,"col":40,"offset":858},"end":{"line":31,"col":43,"offset":861}},"cmd"]]},"engine_kind":"OSS"}},{"check_id":"python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use","path":"insecure-app/app.py","start":{"line":31,"col":40,"offset":858},"end":{"line":31,"col":43,"offset":861},"extra":{"metavars":{"$FUNC":{"start":{"line":31,"col":34,"offset":852},"end":{"line":31,"col":39,"offset":857},"abstract_content":"Popen"},"$CMD":{"start":{"line":31,"col":40,"offset":858},"end":{"line":31,"col":43,"offset":861},"abstract_content":"cmd","propagated_value":{"svalue_start":{"line":30,"col":19,"offset":795},"svalue_end":{"line":30,"col":42,"offset":818},"svalue_abstract_content":"request.form['command']"}}},"message":"Detected subprocess function 'Popen' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'.","metadata":{"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"asvs":{"control_id":"5.3.8 OS Command Injection","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements","section":"V5: Validation, Sanitization and Encoding Verification Requirements","version":"4"},"references":["https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess","https://docs.python.org/3/library/subprocess.html","https://docs.python.org/3/library/shlex.html","https://semgrep.dev/docs/cheat-sheets/python-command-injection/"],"category":"security","technology":["python"],"confidence":"MEDIUM","cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Command Injection"],"source":"https://semgrep.dev/r/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use","shortlink":"https://sg.run/NWxp","semgrep.dev":{"rule":{"origin":"community","r_id":27271,"rule_id":"JDUz3R","rv_id":946391,"url":"https://semgrep.dev/playground/r/9lTy1bg/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use","version_id":"9lTy1bg"}}},"severity":"ERROR","fingerprint":"6f0e63c619f951b4450d30c3b6e9d0078a540b139173b9dd62a26b4bb030219ef3541aaa9b1718d5ffecedd92bd4a6d528d14f1d3b12995cf0bcedd09a4bacf0_0","lines":" process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":30,"col":19,"offset":795},"end":{"line":30,"col":42,"offset":818}},"request.form['command']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":30,"col":13,"offset":789},"end":{"line":30,"col":16,"offset":792}},"content":"cmd"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":31,"col":40,"offset":858},"end":{"line":31,"col":43,"offset":861}},"cmd"]]},"engine_kind":"OSS"}},{"check_id":"python.lang.security.audit.subprocess-shell-true.subprocess-shell-true","path":"insecure-app/app.py","start":{"line":31,"col":51,"offset":869},"end":{"line":31,"col":55,"offset":873},"extra":{"metavars":{"$FUNC":{"start":{"line":31,"col":34,"offset":852},"end":{"line":31,"col":39,"offset":857},"abstract_content":"Popen"},"$TRUE":{"start":{"line":31,"col":51,"offset":869},"end":{"line":31,"col":55,"offset":873},"abstract_content":"True"}},"message":"Found 'subprocess' function 'Popen' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.","fix":"False","metadata":{"source-rule-url":"https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html","owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"references":["https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess","https://docs.python.org/3/library/subprocess.html"],"category":"security","technology":["python"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["secure default"],"likelihood":"HIGH","impact":"LOW","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Command Injection"],"source":"https://semgrep.dev/r/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true","shortlink":"https://sg.run/J92w","semgrep.dev":{"rule":{"origin":"community","r_id":9646,"rule_id":"DbUpz2","rv_id":946382,"url":"https://semgrep.dev/playground/r/YDTvReW/python.lang.security.audit.subprocess-shell-true.subprocess-shell-true","version_id":"YDTvReW"}}},"severity":"ERROR","fingerprint":"67b3f01781e5320338a679e28d25eb74a0afbdff9a8e8bf3e384dec075532a176d5d3a10c438e7756a4e38cd767938cdc9fef681fde2f488e574fd027b27a5f2_0","lines":" process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute","path":"insecure-app/app.py","start":{"line":46,"col":13,"offset":1576},"end":{"line":58,"col":43,"offset":2133},"extra":{"metavars":{"$FUNC":{"start":{"line":15,"col":5,"offset":378},"end":{"line":15,"col":10,"offset":383},"abstract_content":"index"},"$DATA":{"start":{"line":46,"col":13,"offset":1576},"end":{"line":46,"col":16,"offset":1579},"abstract_content":"sql"},"$W":{"start":{"line":46,"col":27,"offset":1590},"end":{"line":46,"col":31,"offset":1594},"abstract_content":"form"},"$CURSOR":{"start":{"line":49,"col":17,"offset":1682},"end":{"line":49,"col":23,"offset":1688},"abstract_content":"cursor"}},"message":"User-controlled data from a request is passed to 'execute()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.","metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection"],"category":"security","technology":["django"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute","shortlink":"https://sg.run/qx7y","semgrep.dev":{"rule":{"origin":"community","r_id":9512,"rule_id":"2ZUbDL","rv_id":946186,"url":"https://semgrep.dev/playground/r/X0TL8rA/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute","version_id":"X0TL8rA"}}},"severity":"WARNING","fingerprint":"b35bc65f56ad96a3e7dd4426467722cfb9fa4098152b35bfcb26998d73f364cccec3bc08fb082f6ea9c665dc2e40f5ee544cce5e89249b6b6d5542f95968849e_0","lines":" sql = request.form['sql']\n try:\n # Execute the user's SQL query\n cursor.execute(sql)\n # Fetch all rows from the query result\n rows = cursor.fetchall()\n # Format the results for display\n if rows:\n output = \"Results:\\n\" + \"\\n\".join(str(row) for row in rows)\n else:\n output = \"Query executed successfully, but no results found.\"\n except Exception as e:\n output = f\"SQL Error: {e}\"","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.db.generic-sql-flask.generic-sql-flask","path":"insecure-app/app.py","start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":46,"col":27,"offset":1590},"end":{"line":46,"col":31,"offset":1594},"abstract_content":"form"},"$AIOMYSQL_CURSOR":{"start":{"line":49,"col":17,"offset":1682},"end":{"line":49,"col":23,"offset":1688},"abstract_content":"cursor"},"$SINK":{"start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700},"abstract_content":"sql","propagated_value":{"svalue_start":{"line":46,"col":19,"offset":1582},"svalue_end":{"line":46,"col":38,"offset":1601},"svalue_abstract_content":"request.form['sql']"}}},"message":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value.","metadata":{"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"SQL Injection with Flask","functional-categories":["db::sink::sql-or-nosql-query::aiomysql","db::sink::sql-or-nosql-query::aiopg","db::sink::sql-or-nosql-query::mysql-connector","db::sink::sql-or-nosql-query::mysqldb","db::sink::sql-or-nosql-query::pep249","db::sink::sql-or-nosql-query::psycopg2","db::sink::sql-or-nosql-query::pymssql","db::sink::sql-or-nosql-query::pymysql","db::sink::sql-or-nosql-query::pyodbc","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"technology":["aiomysql","aiopg","db-api","flask","flask-wtf","mssql","mysql","mysql-connector","mysqldb","pep249","postgres","psycopg2","pymssql","pymysql","pyodbc","sql","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.flask.db.generic-sql-flask.generic-sql-flask","shortlink":"https://sg.run/AbKXQ","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":116506,"rule_id":"0oULG2d","rv_id":947908,"url":"https://semgrep.dev/playground/r/rxT6kpn/python.flask.db.generic-sql-flask.generic-sql-flask","version_id":"rxT6kpn"}}},"severity":"ERROR","fingerprint":"45f29ae146b3bd34ec3dba49040437a0367c6109b5f020c58ca02551748a3e73c850103ae2374abdaed85b1d8fc26d668175f9a872279dd517cc3f59de3b4e4d_0","lines":" cursor.execute(sql)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":46,"col":19,"offset":1582},"end":{"line":46,"col":38,"offset":1601}},"request.form['sql']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":46,"col":13,"offset":1576},"end":{"line":46,"col":16,"offset":1579}},"content":"sql"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700}},"sql"]]},"engine_kind":"OSS"}},{"check_id":"python.tars.flask.sql.prestodb.flask-prestodb-sqli.flask-prestodb-sqli","path":"insecure-app/app.py","start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":46,"col":27,"offset":1590},"end":{"line":46,"col":31,"offset":1594},"abstract_content":"form"},"$O":{"start":{"line":49,"col":17,"offset":1682},"end":{"line":49,"col":23,"offset":1688},"abstract_content":"cursor"},"$SINK":{"start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700},"abstract_content":"sql","propagated_value":{"svalue_start":{"line":46,"col":19,"offset":1582},"svalue_end":{"line":46,"col":38,"offset":1601},"svalue_abstract_content":"request.form['sql']"}}},"message":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.","metadata":{"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"SQL Injection with prestodb via flask","functional-categories":["db::sink::sql-or-nosql-query::prestodb","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"technology":["flask","flask-wtf","prestodb","python","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.tars.flask.sql.prestodb.flask-prestodb-sqli.flask-prestodb-sqli","shortlink":"https://sg.run/Ab2Y4","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":151050,"rule_id":"qNU2nYq","rv_id":974114,"url":"https://semgrep.dev/playground/r/kbTYe8A/python.tars.flask.sql.prestodb.flask-prestodb-sqli.flask-prestodb-sqli","version_id":"kbTYe8A"}}},"severity":"ERROR","fingerprint":"c707a7a8c1c44bf1b4460caeefe5febb977ac53dc883c7c310feb3faf39c7dca59c64330ec471754f350d004adf7eb7a8e93ddc54ba4df384fbd4eaf9c94b81a_0","lines":" cursor.execute(sql)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":46,"col":19,"offset":1582},"end":{"line":46,"col":38,"offset":1601}},"request.form['sql']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":46,"col":13,"offset":1576},"end":{"line":46,"col":16,"offset":1579}},"content":"sql"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700}},"sql"]]},"engine_kind":"OSS"}},{"check_id":"python.tars.flask.sql.prestodb.flask-without-url-path-prestodb-sqli.flask-without-url-path-prestodb-sqli","path":"insecure-app/app.py","start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":46,"col":27,"offset":1590},"end":{"line":46,"col":31,"offset":1594},"abstract_content":"form"},"$O":{"start":{"line":49,"col":17,"offset":1682},"end":{"line":49,"col":23,"offset":1688},"abstract_content":"cursor"},"$SINK":{"start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700},"abstract_content":"sql","propagated_value":{"svalue_start":{"line":46,"col":19,"offset":1582},"svalue_end":{"line":46,"col":38,"offset":1601},"svalue_abstract_content":"request.form['sql']"}}},"message":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.","metadata":{"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"SQL Injection with prestodb via flask-without-url-path","functional-categories":["db::sink::sql-or-nosql-query::prestodb","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"technology":["flask","flask-wtf","prestodb","python","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.tars.flask.sql.prestodb.flask-without-url-path-prestodb-sqli.flask-without-url-path-prestodb-sqli","shortlink":"https://sg.run/BYXN5","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":151051,"rule_id":"lBU4OQB","rv_id":974115,"url":"https://semgrep.dev/playground/r/w8TKyGQ/python.tars.flask.sql.prestodb.flask-without-url-path-prestodb-sqli.flask-without-url-path-prestodb-sqli","version_id":"w8TKyGQ"}}},"severity":"ERROR","fingerprint":"d0e545872c07965feb05279b73bc6eac98db46912ddc00dbef6a08ed6b4e161fd03cc8ca02606d1350676ec9e34a6ec8d32f1fed8e31a2f8464ede46ceba1687_0","lines":" cursor.execute(sql)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":46,"col":19,"offset":1582},"end":{"line":46,"col":38,"offset":1601}},"request.form['sql']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":46,"col":13,"offset":1576},"end":{"line":46,"col":16,"offset":1579}},"content":"sql"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":49,"col":32,"offset":1697},"end":{"line":49,"col":35,"offset":1700}},"sql"]]},"engine_kind":"OSS"}},{"check_id":"python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests","path":"insecure-app/app.py","start":{"line":78,"col":13,"offset":2923},"end":{"line":83,"col":44,"offset":3154},"extra":{"metavars":{"$FUNC":{"start":{"line":15,"col":5,"offset":378},"end":{"line":15,"col":10,"offset":383},"abstract_content":"index"},"$DATA":{"start":{"line":78,"col":13,"offset":2923},"end":{"line":78,"col":16,"offset":2926},"abstract_content":"url"},"$W":{"start":{"line":78,"col":27,"offset":2937},"end":{"line":78,"col":31,"offset":2941},"abstract_content":"form"},"$METHOD":{"start":{"line":80,"col":37,"offset":3002},"end":{"line":80,"col":40,"offset":3005},"abstract_content":"get"}},"message":"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.","metadata":{"cwe":["CWE-918: Server-Side Request Forgery (SSRF)"],"owasp":["A10:2021 - Server-Side Request Forgery (SSRF)"],"references":["https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"],"category":"security","technology":["django"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Server-Side Request Forgery (SSRF)"],"source":"https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests","shortlink":"https://sg.run/YvY4","semgrep.dev":{"rule":{"origin":"community","r_id":9514,"rule_id":"j2UvEw","rv_id":946188,"url":"https://semgrep.dev/playground/r/1QToK1Y/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests","version_id":"1QToK1Y"}}},"severity":"ERROR","fingerprint":"fab6dfa09b05c5b55536041ea9183547a03254003da91e929744c051374c388e8d971e3ab4ca41e66fc7d1e22f889877016e2990bf9f711d2be4b13c8bc16fd6_0","lines":" url = request.form['url']\n try:\n response = requests.get(url)\n output = f\"SSRF Response: {response.text[:200]}\"\n except Exception as e:\n output = f\"SSRF Error: {e}\"","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.security.injection.ssrf-requests.ssrf-requests","path":"insecure-app/app.py","start":{"line":80,"col":28,"offset":2993},"end":{"line":80,"col":45,"offset":3010},"extra":{"metavars":{"$INTERM":{"start":{"line":78,"col":13,"offset":2923},"end":{"line":78,"col":16,"offset":2926},"abstract_content":"url"},"$W":{"start":{"line":78,"col":27,"offset":2937},"end":{"line":78,"col":31,"offset":2941},"abstract_content":"form"},"$FUNC":{"start":{"line":80,"col":37,"offset":3002},"end":{"line":80,"col":40,"offset":3005},"abstract_content":"get"}},"message":"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.","metadata":{"cwe":["CWE-918: Server-Side Request Forgery (SSRF)"],"owasp":["A10:2021 - Server-Side Request Forgery (SSRF)"],"references":["https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"],"category":"security","technology":["flask"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Server-Side Request Forgery (SSRF)"],"source":"https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests","shortlink":"https://sg.run/J9LW","semgrep.dev":{"rule":{"origin":"community","r_id":9546,"rule_id":"WAUoRx","rv_id":946226,"url":"https://semgrep.dev/playground/r/o5TZe8r/python.flask.security.injection.ssrf-requests.ssrf-requests","version_id":"o5TZe8r"}}},"severity":"ERROR","fingerprint":"4525c51704f25a76ff79dff00f116f744a0ee0e4df50661c6c0076b01455629a344469a5ba828e963fa20f78f9d8c8b632b49623a9ff9ef4ad241a301d1617e5_0","lines":" response = requests.get(url)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.net.tainted-flask-http-request-requests.tainted-flask-http-request-requests","path":"insecure-app/app.py","start":{"line":80,"col":41,"offset":3006},"end":{"line":80,"col":44,"offset":3009},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":78,"col":27,"offset":2937},"end":{"line":78,"col":31,"offset":2941},"abstract_content":"form"},"$FUNC":{"start":{"line":80,"col":37,"offset":3002},"end":{"line":80,"col":40,"offset":3005},"abstract_content":"get"},"$URL":{"start":{"line":80,"col":41,"offset":3006},"end":{"line":80,"col":44,"offset":3009},"abstract_content":"url","propagated_value":{"svalue_start":{"line":78,"col":19,"offset":2929},"svalue_end":{"line":78,"col":38,"offset":2948},"svalue_abstract_content":"request.form['url']"}}},"message":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.","metadata":{"likelihood":"MEDIUM","impact":"HIGH","confidence":"MEDIUM","category":"security","subcategory":["vuln"],"cwe":["CWE-918: Server-Side Request Forgery (SSRF)"],"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"Server-Side Request Forgery (SSRF) with Flask","functional-categories":["net::sink::http-request::requests","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A10:2021 - Server-Side Request Forgery (SSRF)"],"references":["https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29"],"technology":["flask","flask-wtf","requests","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Server-Side Request Forgery (SSRF)"],"source":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-requests.tainted-flask-http-request-requests","shortlink":"https://sg.run/109zk","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":116522,"rule_id":"bwUbEzL","rv_id":947949,"url":"https://semgrep.dev/playground/r/1QToZr7/python.flask.net.tainted-flask-http-request-requests.tainted-flask-http-request-requests","version_id":"1QToZr7"}}},"severity":"ERROR","fingerprint":"b9ea27fee0799df8f4a4afd40cbd61dccca7c131e69366e582ff71ce00d5e7e990fcb5adf0c4e4656360f9d85e36588e47e177df2cb2e179cb7417e68cdfb5f2_0","lines":" response = requests.get(url)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":78,"col":19,"offset":2929},"end":{"line":78,"col":38,"offset":2948}},"request.form['url']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":78,"col":13,"offset":2923},"end":{"line":78,"col":16,"offset":2926}},"content":"url"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":80,"col":41,"offset":3006},"end":{"line":80,"col":44,"offset":3009}},"url"]]},"engine_kind":"OSS"}},{"check_id":"python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute","path":"insecure-app/app.py","start":{"line":87,"col":13,"offset":3277},"end":{"line":98,"col":43,"offset":3811},"extra":{"metavars":{"$FUNC":{"start":{"line":15,"col":5,"offset":378},"end":{"line":15,"col":10,"offset":383},"abstract_content":"index"},"$DATA":{"start":{"line":87,"col":13,"offset":3277},"end":{"line":87,"col":21,"offset":3285},"abstract_content":"username"},"$W":{"start":{"line":87,"col":32,"offset":3296},"end":{"line":87,"col":36,"offset":3300},"abstract_content":"form"},"$INTERM":{"start":{"line":90,"col":17,"offset":3412},"end":{"line":90,"col":22,"offset":3417},"abstract_content":"query"},"$STR":{"start":{"line":90,"col":25,"offset":3420},"end":{"line":90,"col":75,"offset":3470},"abstract_content":"\"SELECT password FROM users WHERE username = '{}'\""},"$CURSOR":{"start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":23,"offset":3510},"abstract_content":"cursor"}},"message":"User-controlled data from a request is passed to 'execute()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`.","metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection"],"category":"security","technology":["django"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute","shortlink":"https://sg.run/qx7y","semgrep.dev":{"rule":{"origin":"community","r_id":9512,"rule_id":"2ZUbDL","rv_id":946186,"url":"https://semgrep.dev/playground/r/X0TL8rA/python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute","version_id":"X0TL8rA"}}},"severity":"WARNING","fingerprint":"7de13c47abcf430754420a48d341c9be3f7c9616b721a91fad2547e88f3a1ec7f778a8689a2d00e9752f224332372edb09cec074030cc5031feadeaf9c42e487_0","lines":" username = request.form['username']\n try:\n # Vulnerable SQL query using string interpolation\n query = \"SELECT password FROM users WHERE username = '{}'\".format(username)\n cursor.execute(query)\n result = cursor.fetchone()\n if result:\n output = f\"Password for {username}: {result[0]}\"\n else:\n output = \"User not found.\"\n except Exception as e:\n output = f\"SQL Error: {e}\"","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.injection.tainted-sql-string.tainted-sql-string","path":"insecure-app/app.py","start":{"line":90,"col":25,"offset":3420},"end":{"line":90,"col":92,"offset":3487},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":7,"offset":6},"abstract_content":"SELECT"},"$ANYTHING":{"start":{"line":87,"col":32,"offset":3296},"end":{"line":87,"col":36,"offset":3300},"abstract_content":"form"},"$SQLSTR":{"start":{"line":90,"col":26,"offset":3421},"end":{"line":90,"col":74,"offset":3469},"abstract_content":"SELECT password FROM users WHERE username = '{}'"}},"message":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.","metadata":{"cwe":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"],"owasp":["A08:2021 - Software and Data Integrity Failures"],"references":["https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection"],"category":"security","technology":["django"],"subcategory":["audit"],"impact":"LOW","likelihood":"MEDIUM","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Mass Assignment"],"source":"https://semgrep.dev/r/python.django.security.injection.tainted-sql-string.tainted-sql-string","shortlink":"https://sg.run/PbZp","semgrep.dev":{"rule":{"origin":"community","r_id":14701,"rule_id":"lBU8Ad","rv_id":946190,"url":"https://semgrep.dev/playground/r/yeT0nKx/python.django.security.injection.tainted-sql-string.tainted-sql-string","version_id":"yeT0nKx"}}},"severity":"ERROR","fingerprint":"131b5e7e7d2ac6fc49fe8d7468f54e651a09d4a4706cdea3961e2fa888007b16999046aff46b29fadd3e0fa30f6ae43e0b461b4ae3bf39a7323b33e3c32d2ff8_0","lines":" query = \"SELECT password FROM users WHERE username = '{}'\".format(username)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":87,"col":24,"offset":3288},"end":{"line":87,"col":36,"offset":3300}},"request.form"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":87,"col":13,"offset":3277},"end":{"line":87,"col":21,"offset":3285}},"content":"username"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":90,"col":25,"offset":3420},"end":{"line":90,"col":92,"offset":3487}},"\"SELECT password FROM users WHERE username = '{}'\".format(username)"]]},"engine_kind":"OSS"}},{"check_id":"python.flask.security.injection.tainted-sql-string.tainted-sql-string","path":"insecure-app/app.py","start":{"line":90,"col":25,"offset":3420},"end":{"line":90,"col":92,"offset":3487},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":7,"offset":6},"abstract_content":"SELECT"},"$ANYTHING":{"start":{"line":87,"col":32,"offset":3296},"end":{"line":87,"col":36,"offset":3300},"abstract_content":"form"},"$SQLSTR":{"start":{"line":90,"col":26,"offset":3421},"end":{"line":90,"col":74,"offset":3469},"abstract_content":"SELECT password FROM users WHERE username = '{}'"}},"message":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.","metadata":{"cwe":["CWE-704: Incorrect Type Conversion or Cast"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql","https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm","https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column"],"category":"security","technology":["sqlalchemy","flask"],"subcategory":["vuln"],"impact":"MEDIUM","likelihood":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Validation"],"source":"https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string","shortlink":"https://sg.run/JxZj","semgrep.dev":{"rule":{"origin":"community","r_id":14702,"rule_id":"YGUDKQ","rv_id":946228,"url":"https://semgrep.dev/playground/r/pZTNO7z/python.flask.security.injection.tainted-sql-string.tainted-sql-string","version_id":"pZTNO7z"}}},"severity":"ERROR","fingerprint":"d78139633035de6bf1b9a560172a84f789b9ddd923facc66df7a193b8e313841e015366f2216bfa6d2a311380594d28e7b5da825a9eaeabb73bf9613adbdb29d_0","lines":" query = \"SELECT password FROM users WHERE username = '{}'\".format(username)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":87,"col":24,"offset":3288},"end":{"line":87,"col":36,"offset":3300}},"request.form"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":87,"col":13,"offset":3277},"end":{"line":87,"col":21,"offset":3285}},"content":"username"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":90,"col":25,"offset":3420},"end":{"line":90,"col":92,"offset":3487}},"\"SELECT password FROM users WHERE username = '{}'\".format(username)"]]},"engine_kind":"OSS"}},{"check_id":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","path":"insecure-app/app.py","start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":38,"offset":3525},"extra":{"metavars":{"$DB":{"start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":23,"offset":3510},"abstract_content":"cursor"},"$SQL":{"start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"abstract_content":"query","propagated_value":{"svalue_start":{"line":90,"col":25,"offset":3420},"svalue_end":{"line":90,"col":92,"offset":3487},"svalue_abstract_content":"\"SELECT password FROM users WHERE username = '{}'\".format(username)"}}},"message":"Detected possible formatted SQL query. Use parameterized queries instead.","metadata":{"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"references":["https://stackoverflow.com/questions/775296/mysql-parameterized-queries"],"category":"security","technology":["python"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query","shortlink":"https://sg.run/EkWw","semgrep.dev":{"rule":{"origin":"community","r_id":9637,"rule_id":"3qUP9k","rv_id":946343,"url":"https://semgrep.dev/playground/r/e1T98KK/python.lang.security.audit.formatted-sql-query.formatted-sql-query","version_id":"e1T98KK"}}},"severity":"WARNING","fingerprint":"a74600ac310bdab04cc5ea8c2e7c25221703979f0286dde9018a90d2dbd6c16ea381c5d4f9cb97fbcac0b0aeef454a63c3f82f078d6fa9512358b6566e5263a3_0","lines":" cursor.execute(query)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","path":"insecure-app/app.py","start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":38,"offset":3525},"extra":{"metavars":{"$SQL":{"start":{"line":90,"col":25,"offset":3420},"end":{"line":90,"col":75,"offset":3470},"abstract_content":"\"SELECT password FROM users WHERE username = '{}'\""},"$CONNECTION":{"start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":23,"offset":3510},"abstract_content":"cursor"},"$QUERY":{"start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"abstract_content":"query","propagated_value":{"svalue_start":{"line":90,"col":25,"offset":3420},"svalue_end":{"line":90,"col":92,"offset":3487},"svalue_abstract_content":"\"SELECT password FROM users WHERE username = '{}'\".format(username)"}}},"message":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.","metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql","https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm","https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column"],"category":"security","technology":["sqlalchemy"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","shortlink":"https://sg.run/2b1L","semgrep.dev":{"rule":{"origin":"community","r_id":10563,"rule_id":"oqUz5y","rv_id":946452,"url":"https://semgrep.dev/playground/r/8KTKj19/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","version_id":"8KTKj19"}}},"severity":"ERROR","fingerprint":"97cb38d9b784f2ccc9d408311b424efd2db86f21a63023679b620bdd2800fa8befdbbd093b704ba25840091646bc7b85382022dc1d4d980c88b5252c8720390a_0","lines":" cursor.execute(query)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.db.generic-sql-flask.generic-sql-flask","path":"insecure-app/app.py","start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":87,"col":32,"offset":3296},"end":{"line":87,"col":36,"offset":3300},"abstract_content":"form"},"$AIOMYSQL_CURSOR":{"start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":23,"offset":3510},"abstract_content":"cursor"},"$SINK":{"start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"abstract_content":"query","propagated_value":{"svalue_start":{"line":90,"col":25,"offset":3420},"svalue_end":{"line":90,"col":92,"offset":3487},"svalue_abstract_content":"\"SELECT password FROM users WHERE username = '{}'\".format(username)"}}},"message":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value.","metadata":{"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"SQL Injection with Flask","functional-categories":["db::sink::sql-or-nosql-query::aiomysql","db::sink::sql-or-nosql-query::aiopg","db::sink::sql-or-nosql-query::mysql-connector","db::sink::sql-or-nosql-query::mysqldb","db::sink::sql-or-nosql-query::pep249","db::sink::sql-or-nosql-query::psycopg2","db::sink::sql-or-nosql-query::pymssql","db::sink::sql-or-nosql-query::pymysql","db::sink::sql-or-nosql-query::pyodbc","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"technology":["aiomysql","aiopg","db-api","flask","flask-wtf","mssql","mysql","mysql-connector","mysqldb","pep249","postgres","psycopg2","pymssql","pymysql","pyodbc","sql","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.flask.db.generic-sql-flask.generic-sql-flask","shortlink":"https://sg.run/AbKXQ","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":116506,"rule_id":"0oULG2d","rv_id":947908,"url":"https://semgrep.dev/playground/r/rxT6kpn/python.flask.db.generic-sql-flask.generic-sql-flask","version_id":"rxT6kpn"}}},"severity":"ERROR","fingerprint":"a80f7e2b4c23589f94ab602f17de0c81936ee0e90bae9e1716a1ceca152f7466301e0b6af164ffe2e311facac9f4f61b278c6c1c47ef1e2e07fce41c0042a588_0","lines":" cursor.execute(query)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":87,"col":24,"offset":3288},"end":{"line":87,"col":48,"offset":3312}},"request.form['username']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":87,"col":13,"offset":3277},"end":{"line":87,"col":21,"offset":3285}},"content":"username"},{"location":{"path":"insecure-app/app.py","start":{"line":90,"col":17,"offset":3412},"end":{"line":90,"col":22,"offset":3417}},"content":"query"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524}},"query"]]},"engine_kind":"OSS"}},{"check_id":"python.tars.flask.sql.prestodb.flask-prestodb-sqli.flask-prestodb-sqli","path":"insecure-app/app.py","start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":87,"col":32,"offset":3296},"end":{"line":87,"col":36,"offset":3300},"abstract_content":"form"},"$O":{"start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":23,"offset":3510},"abstract_content":"cursor"},"$SINK":{"start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"abstract_content":"query","propagated_value":{"svalue_start":{"line":90,"col":25,"offset":3420},"svalue_end":{"line":90,"col":92,"offset":3487},"svalue_abstract_content":"\"SELECT password FROM users WHERE username = '{}'\".format(username)"}}},"message":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.","metadata":{"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"SQL Injection with prestodb via flask","functional-categories":["db::sink::sql-or-nosql-query::prestodb","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"technology":["flask","flask-wtf","prestodb","python","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.tars.flask.sql.prestodb.flask-prestodb-sqli.flask-prestodb-sqli","shortlink":"https://sg.run/Ab2Y4","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":151050,"rule_id":"qNU2nYq","rv_id":974114,"url":"https://semgrep.dev/playground/r/kbTYe8A/python.tars.flask.sql.prestodb.flask-prestodb-sqli.flask-prestodb-sqli","version_id":"kbTYe8A"}}},"severity":"ERROR","fingerprint":"d775a8b630cffbbe8eca881c9cfcdb41f1712b6b4725bd2eff0e62d0a2a62a2d7dd68d3d0f894ebc17c9eac9ae138a5d02473baf772d07f06ff34bb0f87a7b60_0","lines":" cursor.execute(query)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":87,"col":24,"offset":3288},"end":{"line":87,"col":48,"offset":3312}},"request.form['username']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":87,"col":13,"offset":3277},"end":{"line":87,"col":21,"offset":3285}},"content":"username"},{"location":{"path":"insecure-app/app.py","start":{"line":90,"col":17,"offset":3412},"end":{"line":90,"col":22,"offset":3417}},"content":"query"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524}},"query"]]},"engine_kind":"OSS"}},{"check_id":"python.tars.flask.sql.prestodb.flask-without-url-path-prestodb-sqli.flask-without-url-path-prestodb-sqli","path":"insecure-app/app.py","start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"form"},"$PROPERTY":{"start":{"line":87,"col":32,"offset":3296},"end":{"line":87,"col":36,"offset":3300},"abstract_content":"form"},"$O":{"start":{"line":91,"col":17,"offset":3504},"end":{"line":91,"col":23,"offset":3510},"abstract_content":"cursor"},"$SINK":{"start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524},"abstract_content":"query","propagated_value":{"svalue_start":{"line":90,"col":25,"offset":3420},"svalue_end":{"line":90,"col":92,"offset":3487},"svalue_abstract_content":"\"SELECT password FROM users WHERE username = '{}'\".format(username)"}}},"message":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.","metadata":{"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"SQL Injection with prestodb via flask-without-url-path","functional-categories":["db::sink::sql-or-nosql-query::prestodb","web::source::cookie::flask","web::source::form-data::flask","web::source::form-data::flask-wtf","web::source::form-data::wtforms","web::source::header::flask","web::source::http-body::flask","web::source::http-params::flask","web::source::url-path-params::flask"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://owasp.org/Top10/A03_2021-Injection"],"technology":["flask","flask-wtf","prestodb","python","web","wtforms"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/python.tars.flask.sql.prestodb.flask-without-url-path-prestodb-sqli.flask-without-url-path-prestodb-sqli","shortlink":"https://sg.run/BYXN5","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":151051,"rule_id":"lBU4OQB","rv_id":974115,"url":"https://semgrep.dev/playground/r/w8TKyGQ/python.tars.flask.sql.prestodb.flask-without-url-path-prestodb-sqli.flask-without-url-path-prestodb-sqli","version_id":"w8TKyGQ"}}},"severity":"ERROR","fingerprint":"3b031ef816c35b352f70682b3f4b652864376d5a11968a80b3f91b46993f639a7a3fb6cae975a6fe9eea99a57629691ca54b76eb0a7433160e96197f9a646858_0","lines":" cursor.execute(query)","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":87,"col":24,"offset":3288},"end":{"line":87,"col":48,"offset":3312}},"request.form['username']"]],"intermediate_vars":[{"location":{"path":"insecure-app/app.py","start":{"line":87,"col":13,"offset":3277},"end":{"line":87,"col":21,"offset":3285}},"content":"username"},{"location":{"path":"insecure-app/app.py","start":{"line":90,"col":17,"offset":3412},"end":{"line":90,"col":22,"offset":3417}},"content":"query"}],"taint_sink":["CliLoc",[{"path":"insecure-app/app.py","start":{"line":91,"col":32,"offset":3519},"end":{"line":91,"col":37,"offset":3524}},"query"]]},"engine_kind":"OSS"}},{"check_id":"python.flask.security.audit.render-template-string.render-template-string","path":"insecure-app/app.py","start":{"line":100,"col":12,"offset":3824},"end":{"line":165,"col":24,"offset":6152},"extra":{"metavars":{},"message":"Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.","metadata":{"cwe":["CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')"],"owasp":["A03:2021 - Injection"],"references":["https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html"],"category":"security","technology":["flask"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Code Injection"],"source":"https://semgrep.dev/r/python.flask.security.audit.render-template-string.render-template-string","shortlink":"https://sg.run/8yjE","semgrep.dev":{"rule":{"origin":"community","r_id":9540,"rule_id":"5rUOv1","rv_id":946214,"url":"https://semgrep.dev/playground/r/GxTP7pA/python.flask.security.audit.render-template-string.render-template-string","version_id":"GxTP7pA"}}},"severity":"WARNING","fingerprint":"1fef9f2ee425958911da7faac417e1f471bdc7ae487cbabd9a91be4ea84a6f83752210264ba5524b467e6c75922346531ffa23e80c7cbb432772b1e9135c7eed_0","lines":" return render_template_string(\"\"\"\n <h1>Intentionally Insecure App</h1>\n <hr>\n\n <!-- Command Injection -->\n <form action=\"/\" method=\"post\">\n <h2>Command Injection</h2>\n <input type=\"text\" name=\"command\" value=\"ls -la\">\n <input type=\"submit\" value=\"Run\">\n </form>\n <br>\n\n <!-- File Upload -->\n <form action=\"/\" method=\"post\" enctype=\"multipart/form-data\">\n <h2>Path Traversal via File Upload</h2>\n <input type=\"file\" name=\"file\">\n <input type=\"submit\" value=\"Upload\">\n </form>\n <p>Try uploading a file named: <code>../../../../etc/passwd</code></p>\n <br>\n\n <!-- SQL Injection -->\n <form action=\"/\" method=\"post\">\n <h2>SQL Injection</h2>\n <input type=\"text\" name=\"sql\" value=\"SELECT * FROM users WHERE username = 'admin' OR '1'='1'\">\n <input type=\"submit\" value=\"Run\">\n </form>\n <br>\n\n <!-- Cross-Site Scripting (XSS) -->\n <form action=\"/\" method=\"post\">\n Enter XSS payload: <input type=\"text\" name=\"xss\" value=\"<script>alert('XSS');</script>\">\n <input type=\"submit\" value=\"Run\">\n </form>\n <br>\n\n <!-- XML External Entity (XXE) Injection -->\n <form action=\"/\" method=\"post\">\n <h2>XML External Entity (XXE) Injection</h2>\n <textarea name=\"xml\" rows=\"5\" cols=\"50\">\n<?xml version=\"1.0\"?>\n<!DOCTYPE root [\n<!ENTITY xxe SYSTEM \"file:///etc/passwd\">\n]>\n<root>&xxe;</root>\n </textarea>\n <input type=\"submit\" value=\"Parse XML\">\n </form>\n <br>\n\n <!-- Server-Side Request Forgery (SSRF) -->\n <form action=\"/\" method=\"post\">\n <h2>Server-Side Request Forgery (SSRF)</h2>\n <input type=\"text\" name=\"url\" value=\"http://localhost:8080/\">\n <input type=\"submit\" value=\"Request\">\n </form>\n <br>\n <!-- SQL Injection 2 -->\n <h2>SQL Injection 2</h2>\n <form action=\"/\" method=\"post\">\n Enter Username: <input type=\"text\" name=\"username\" value=\"' UNION SELECT username || ' : ' || password FROM users --\">\n <input type=\"submit\" value=\"Lookup\">\n </form>\n <hr>\n <pre>{{ output|safe }}</pre>\n \"\"\", output=output)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.debug.debug-flask.active-debug-code-flask","path":"insecure-app/app.py","start":{"line":168,"col":5,"offset":6185},"end":{"line":168,"col":51,"offset":6231},"extra":{"metavars":{},"message":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment.","metadata":{"likelihood":"LOW","impact":"MEDIUM","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-489: Active Debug Code"],"display-name":"Active Debug Code in Flask","functional-categories":["debug::search::active-debug-code"],"references":["https://flask.palletsprojects.com/en/3.0.x/debugging/"],"technology":["flask","python"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Active Debug Code"],"source":"https://semgrep.dev/r/python.flask.debug.debug-flask.active-debug-code-flask","shortlink":"https://sg.run/lBbpB","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":116513,"rule_id":"zdUKBnK","rv_id":947918,"url":"https://semgrep.dev/playground/r/ZRT3q9v/python.flask.debug.debug-flask.active-debug-code-flask","version_id":"ZRT3q9v"}}},"severity":"INFO","fingerprint":"c23e60005fcb1bcebdf227cb9726b160a35d2a257d070ed02e48086267e9fc89bc16c372bb201f498a69977f671255ee8a9f79ff39693f60f42f6b326b1cbef7_0","lines":" app.run(host='0.0.0.0', port=8080, debug=True)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host","path":"insecure-app/app.py","start":{"line":168,"col":5,"offset":6185},"end":{"line":168,"col":51,"offset":6231},"extra":{"metavars":{},"message":"Running flask app with host 0.0.0.0 could expose the server publicly.","metadata":{"cwe":["CWE-668: Exposure of Resource to Wrong Sphere"],"owasp":["A01:2021 - Broken Access Control"],"category":"security","technology":["flask"],"references":["https://owasp.org/Top10/A01_2021-Broken_Access_Control"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Other"],"source":"https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host","shortlink":"https://sg.run/eLby","semgrep.dev":{"rule":{"origin":"community","r_id":9532,"rule_id":"L1Uy1n","rv_id":946204,"url":"https://semgrep.dev/playground/r/7ZTrQkG/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host","version_id":"7ZTrQkG"}}},"severity":"WARNING","fingerprint":"031046540eb43011ccbcd463edf2c3003737673f6218b7a22e609d94ff6b0ad99d098ec0307291bb508e6c1ec8d7e08ebdbe7f7670245df69c0a42db45854bd3_0","lines":" app.run(host='0.0.0.0', port=8080, debug=True)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.flask.security.audit.debug-enabled.debug-enabled","path":"insecure-app/app.py","start":{"line":168,"col":5,"offset":6185},"end":{"line":168,"col":51,"offset":6231},"extra":{"metavars":{"$APP":{"start":{"line":168,"col":5,"offset":6185},"end":{"line":168,"col":8,"offset":6188},"abstract_content":"app","propagated_value":{"svalue_start":{"line":12,"col":7,"offset":316},"svalue_end":{"line":12,"col":22,"offset":331},"svalue_abstract_content":"Flask(__name__)"}}},"message":"Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables.","metadata":{"cwe":["CWE-489: Active Debug Code"],"owasp":"A06:2017 - Security Misconfiguration","references":["https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/"],"category":"security","technology":["flask"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Active Debug Code"],"source":"https://semgrep.dev/r/python.flask.security.audit.debug-enabled.debug-enabled","shortlink":"https://sg.run/dKrd","semgrep.dev":{"rule":{"origin":"community","r_id":9534,"rule_id":"gxU1bd","rv_id":946206,"url":"https://semgrep.dev/playground/r/8KTKjwR/python.flask.security.audit.debug-enabled.debug-enabled","version_id":"8KTKjwR"}}},"severity":"WARNING","fingerprint":"688f60f63bb45fb9ddf9a179de37f66efa8644f5976e2115d44c0ee91789446d3bf7d1d4351ea22ab6e616ecb66a2ed26ca94d64746ea41e289bbf71176a4022_0","lines":" app.run(host='0.0.0.0', port=8080, debug=True)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","path":"insecure-app/ransomware.py","start":{"line":34,"col":16,"offset":1304},"end":{"line":34,"col":36,"offset":1324},"extra":{"metavars":{"$1":{"start":{"line":34,"col":16,"offset":1304},"end":{"line":34,"col":20,"offset":1308},"abstract_content":"AKIA"}},"message":"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"source-rule-url":"https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go","category":"security","technology":["secrets","aws"],"confidence":"LOW","owasp":["A07:2021 - Identification and Authentication Failures"],"references":["https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","shortlink":"https://sg.run/GeD1","semgrep.dev":{"rule":{"origin":"community","r_id":9048,"rule_id":"oqUevO","rv_id":945484,"url":"https://semgrep.dev/playground/r/rxT6rnL/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","version_id":"rxT6rnL"}}},"severity":"ERROR","fingerprint":"fdd4bbda379047f46243b39d05251ca1f58d4adf6e262e3e54050a8031935e79a9bed50cdf71107e644efbf18b43f6edcde2cd2905d9bfb43caf67d59f7bcc98_0","lines":" aws = \"AKIA2JAPX77RGLB664VE\"","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected","path":"insecure-app/ransomware.py","start":{"line":143,"col":9,"offset":6480},"end":{"line":143,"col":51,"offset":6522},"extra":{"metavars":{},"message":"Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.","metadata":{"cwe":["CWE-939: Improper Authorization in Handler for Custom URL Scheme"],"owasp":"A01:2017 - Injection","source-rule-url":"https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/blacklists/calls.py#L163","bandit-code":"B310","asvs":{"control_id":"5.2.4 Dynamic Code Execution Features","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v52-sanitization-and-sandboxing-requirements","section":"V5: Validation, Sanitization and Encoding Verification Requirements","version":"4"},"category":"security","technology":["python"],"references":["https://cwe.mitre.org/data/definitions/939.html"],"subcategory":["audit"],"likelihood":"LOW","impact":"LOW","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected","shortlink":"https://sg.run/dKZZ","semgrep.dev":{"rule":{"origin":"community","r_id":9634,"rule_id":"8GUj22","rv_id":946340,"url":"https://semgrep.dev/playground/r/w8TKJbO/python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected","version_id":"w8TKJbO"}}},"severity":"WARNING","fingerprint":"f74fd93d56d0f782bdccefe534a08a0e542f77db7f2e2bd32b3107a3049506b89945891a6570373cd6b214f08cc50198a61a8b4e680dcaadc5cd4dec38437ec0_0","lines":" urllib.request.urlretrieve(imageUrl, path)","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.run-as-non-root.run-as-non-root","path":"insecure-chart/templates/busybox.yaml","start":{"line":17,"col":5,"offset":308},"end":{"line":17,"col":9,"offset":312},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"spec"},"$SPEC":{"start":{"line":17,"col":5,"offset":308},"end":{"line":17,"col":9,"offset":312},"abstract_content":"spec"}},"message":"When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.","fix":"spec:\n securityContext:\n runAsNonRoot: true #","metadata":{"references":["https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/","https://kubernetes.io/docs/concepts/policy/pod-security-policy/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user"],"category":"security","cwe":["CWE-250: Execution with Unnecessary Privileges"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"technology":["kubernetes"],"subcategory":["audit"],"likelihood":"LOW","impact":"LOW","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root.run-as-non-root","shortlink":"https://sg.run/dgP5","semgrep.dev":{"rule":{"origin":"community","r_id":10134,"rule_id":"ZqUqeK","rv_id":947064,"url":"https://semgrep.dev/playground/r/JdTDP66/yaml.kubernetes.security.run-as-non-root.run-as-non-root","version_id":"JdTDP66"}}},"severity":"INFO","fingerprint":"3302f4679b677441ee2e4f843fe636546de78ccbdf7ffa5b66486a65526a675e1ad0c1989e87283307f8e9b2170714659820d02ad476142b371afd41824422ab_0","lines":" spec:","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext","path":"insecure-chart/templates/busybox.yaml","start":{"line":19,"col":9,"offset":340},"end":{"line":19,"col":13,"offset":344},"extra":{"metavars":{"$NAME":{"start":{"line":19,"col":9,"offset":340},"end":{"line":19,"col":13,"offset":344},"abstract_content":"name"},"$CONTAINER":{"start":{"line":19,"col":15,"offset":346},"end":{"line":19,"col":22,"offset":353},"abstract_content":"busybox"}},"message":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.","fix":"securityContext:\n allowPrivilegeEscalation: false\n name","metadata":{"cwe":["CWE-732: Incorrect Permission Assignment for Critical Resource"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"references":["https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation","https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag"],"category":"security","technology":["kubernetes"],"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext","shortlink":"https://sg.run/eleR","semgrep.dev":{"rule":{"origin":"community","r_id":47276,"rule_id":"WAU5J6","rv_id":947050,"url":"https://semgrep.dev/playground/r/e1T9vzn/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext","version_id":"e1T9vzn"}}},"severity":"WARNING","fingerprint":"a48a700ff4af7c51c6c89eeda133bc962da19537ab07ae0c31a3e52fa481f4483b37ae55047243392d0f979a5e17ee48f6a31f9e980c15636bb31f6068cc41ac_0","lines":" - name: busybox","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.run-as-non-root.run-as-non-root","path":"insecure-chart/templates/insecure-app.yaml","start":{"line":16,"col":5,"offset":360},"end":{"line":16,"col":9,"offset":364},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"spec"},"$SPEC":{"start":{"line":16,"col":5,"offset":360},"end":{"line":16,"col":9,"offset":364},"abstract_content":"spec"}},"message":"When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.","fix":"spec:\n securityContext:\n runAsNonRoot: true #","metadata":{"references":["https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/","https://kubernetes.io/docs/concepts/policy/pod-security-policy/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user"],"category":"security","cwe":["CWE-250: Execution with Unnecessary Privileges"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"technology":["kubernetes"],"subcategory":["audit"],"likelihood":"LOW","impact":"LOW","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root.run-as-non-root","shortlink":"https://sg.run/dgP5","semgrep.dev":{"rule":{"origin":"community","r_id":10134,"rule_id":"ZqUqeK","rv_id":947064,"url":"https://semgrep.dev/playground/r/JdTDP66/yaml.kubernetes.security.run-as-non-root.run-as-non-root","version_id":"JdTDP66"}}},"severity":"INFO","fingerprint":"aecd9bc14da55ad92c0e9f7a736c60d78bfe9d474551beb8606b92da97641b6af609317b6d0a64e78230567359a2a9889b5bd3ae0b3615997a0dd2adcf7ce4b0_0","lines":" spec:","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.privileged-container.privileged-container","path":"insecure-chart/templates/insecure-app.yaml","start":{"line":18,"col":9,"offset":392},"end":{"line":29,"col":42,"offset":873},"extra":{"metavars":{},"message":"Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.","metadata":{"cwe":["CWE-250: Execution with Unnecessary Privileges"],"references":["https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged","https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"],"category":"security","technology":["kubernetes"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.privileged-container.privileged-container","shortlink":"https://sg.run/Ygr5","semgrep.dev":{"rule":{"origin":"community","r_id":10058,"rule_id":"oqUz2p","rv_id":947059,"url":"https://semgrep.dev/playground/r/gETeWJA/yaml.kubernetes.security.privileged-container.privileged-container","version_id":"gETeWJA"}}},"severity":"WARNING","fingerprint":"8d8d14c31ce0b4adf0e8554f956c7a41ec94f13ad055f4ece2cb0b87d686c8b738020157487eef0b9e5a722092576c68524c0d9200bff9f851caba9f6fd196c4_0","lines":" - name: {{ .Values.insecureApp.appName }}\n image: \"{{ .Values.insecureApp.image.repository }}:{{ .Values.insecureApp.image.tag }}\"\n env:\n - name: AWS_ACCESS_KEY_ID\n value: AKIA2JAPX77RGLB664VE\n - name: AWS_SECRET_ACCESS_KEY\n value: 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\n securityContext:\n privileged: true\n volumeMounts: \n - name: docker-socket\n mountPath: /var/run/docker.sock","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","path":"insecure-chart/templates/insecure-app.yaml","start":{"line":22,"col":18,"offset":592},"end":{"line":22,"col":38,"offset":612},"extra":{"metavars":{"$1":{"start":{"line":22,"col":18,"offset":592},"end":{"line":22,"col":22,"offset":596},"abstract_content":"AKIA"}},"message":"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"source-rule-url":"https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go","category":"security","technology":["secrets","aws"],"confidence":"LOW","owasp":["A07:2021 - Identification and Authentication Failures"],"references":["https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","shortlink":"https://sg.run/GeD1","semgrep.dev":{"rule":{"origin":"community","r_id":9048,"rule_id":"oqUevO","rv_id":945484,"url":"https://semgrep.dev/playground/r/rxT6rnL/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","version_id":"rxT6rnL"}}},"severity":"ERROR","fingerprint":"ba1eb8f472ad179589a1a9121d0766ca94d347074ca129508802d4537dae2c423d53533f10e88538157501b54215abf7a7d0b8b024b182219f664bbd8111d6a4_0","lines":" value: AKIA2JAPX77RGLB664VE","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation","path":"insecure-chart/templates/insecure-app.yaml","start":{"line":25,"col":9,"offset":717},"end":{"line":25,"col":24,"offset":732},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":16,"offset":15},"abstract_content":"securityContext"},"$CONTAINER":{"start":{"line":18,"col":15,"offset":398},"end":{"line":18,"col":47,"offset":430},"abstract_content":"(())"},"$SC":{"start":{"line":25,"col":9,"offset":717},"end":{"line":25,"col":24,"offset":732},"abstract_content":"securityContext"}},"message":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.","fix":"securityContext:\n allowPrivilegeEscalation: false #","metadata":{"cwe":["CWE-732: Incorrect Permission Assignment for Critical Resource"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"references":["https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation","https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag"],"category":"security","technology":["kubernetes"],"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation","shortlink":"https://sg.run/ljp6","semgrep.dev":{"rule":{"origin":"community","r_id":10057,"rule_id":"6JUqEO","rv_id":947052,"url":"https://semgrep.dev/playground/r/d6TPzeB/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation","version_id":"d6TPzeB"}}},"severity":"WARNING","fingerprint":"776c179c073a251128c9a229b958fb3881849cef53c32d7c8b5634da2885d6373e79e7a39068a1679423ccd0b409c0620683f9a0c95d65177fb897fb48ffd794_0","lines":" securityContext:","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath","path":"insecure-chart/templates/insecure-app.yaml","start":{"line":32,"col":9,"offset":950},"end":{"line":33,"col":37,"offset":996},"extra":{"metavars":{},"message":"Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from hostpath to prevent this.","metadata":{"cwe":["CWE-250: Execution with Unnecessary Privileges"],"references":["https://kubernetes.io/docs/concepts/storage/volumes/#hostpath","https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems","https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers"],"category":"security","technology":["kubernetes"],"subcategory":["vuln"],"likelihood":"LOW","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath","shortlink":"https://sg.run/v0pR","semgrep.dev":{"rule":{"origin":"community","r_id":10133,"rule_id":"d8Uz6v","rv_id":947054,"url":"https://semgrep.dev/playground/r/nWTpYZe/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath","version_id":"nWTpYZe"}}},"severity":"WARNING","fingerprint":"7a6331004e7b6359a35200b986c57fc54a82ffc3d1eb71848fd4606545dfb3d195d9a1edd879c8d74c12364291a00adef95be1779caead61655b0590e63d01a9_0","lines":" hostPath:\n path: /var/run/docker.sock","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.run-as-non-root.run-as-non-root","path":"insecure-chart/templates/workload-security-evaluator.yaml","start":{"line":16,"col":5,"offset":430},"end":{"line":16,"col":9,"offset":434},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"spec"},"$SPEC":{"start":{"line":16,"col":5,"offset":430},"end":{"line":16,"col":9,"offset":434},"abstract_content":"spec"}},"message":"When running containers in Kubernetes, it's important to ensure that they are properly secured to prevent privilege escalation attacks. One potential vulnerability is when a container is allowed to run applications as the root user, which could allow an attacker to gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container, with the parameter `runAsNonRoot` set to `true`. This will ensure that the container runs as a non-root user, limiting the damage that could be caused by any potential attacks. By adding a `securityContext` to the container in your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.","fix":"spec:\n securityContext:\n runAsNonRoot: true #","metadata":{"references":["https://kubernetes.io/blog/2016/08/security-best-practices-kubernetes-deployment/","https://kubernetes.io/docs/concepts/policy/pod-security-policy/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user"],"category":"security","cwe":["CWE-250: Execution with Unnecessary Privileges"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"technology":["kubernetes"],"subcategory":["audit"],"likelihood":"LOW","impact":"LOW","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.run-as-non-root.run-as-non-root","shortlink":"https://sg.run/dgP5","semgrep.dev":{"rule":{"origin":"community","r_id":10134,"rule_id":"ZqUqeK","rv_id":947064,"url":"https://semgrep.dev/playground/r/JdTDP66/yaml.kubernetes.security.run-as-non-root.run-as-non-root","version_id":"JdTDP66"}}},"severity":"INFO","fingerprint":"3a55f533ac5a5a36509690fa17d989dd74b859c9205068f60ce9ebc206764744c02e0240842db0f7d7fc4dc7b2cab157033ce576fdc1904bd58eb04f84b184ec_0","lines":" spec:","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.privileged-container.privileged-container","path":"insecure-chart/templates/workload-security-evaluator.yaml","start":{"line":18,"col":9,"offset":462},"end":{"line":29,"col":30,"offset":966},"extra":{"metavars":{},"message":"Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.","metadata":{"cwe":["CWE-250: Execution with Unnecessary Privileges"],"references":["https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged","https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html"],"category":"security","technology":["kubernetes"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.privileged-container.privileged-container","shortlink":"https://sg.run/Ygr5","semgrep.dev":{"rule":{"origin":"community","r_id":10058,"rule_id":"oqUz2p","rv_id":947059,"url":"https://semgrep.dev/playground/r/gETeWJA/yaml.kubernetes.security.privileged-container.privileged-container","version_id":"gETeWJA"}}},"severity":"WARNING","fingerprint":"ffd554b207fb80ce294cc034390d4474858d4264f036ada1a1c11e8b6925b9d1d3231425104899b500b80be005ad1001395576ee17aff2683b9cf73520697663_0","lines":" - name: {{ .Values.workloadSecurityEvaluator.appName }}\n image: \"{{ .Values.workloadSecurityEvaluator.image.repository }}:{{ .Values.workloadSecurityEvaluator.image.tag }}\"\n env:\n - name: AWS_ACCESS_KEY_ID\n value: AKIA2JAPX77RGLB664VE\n - name: AWS_SECRET_ACCESS_KEY\n value: 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\n securityContext:\n privileged: true\n volumeMounts:\n - mountPath: /var/run/docker.sock\n name: docker-socket","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","path":"insecure-chart/templates/workload-security-evaluator.yaml","start":{"line":22,"col":18,"offset":704},"end":{"line":22,"col":38,"offset":724},"extra":{"metavars":{"$1":{"start":{"line":22,"col":18,"offset":704},"end":{"line":22,"col":22,"offset":708},"abstract_content":"AKIA"}},"message":"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file.","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"source-rule-url":"https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go","category":"security","technology":["secrets","aws"],"confidence":"LOW","owasp":["A07:2021 - Identification and Authentication Failures"],"references":["https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","shortlink":"https://sg.run/GeD1","semgrep.dev":{"rule":{"origin":"community","r_id":9048,"rule_id":"oqUevO","rv_id":945484,"url":"https://semgrep.dev/playground/r/rxT6rnL/generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value","version_id":"rxT6rnL"}}},"severity":"ERROR","fingerprint":"d5ec8967dc8f57fcd421997dda6a0abac3a0cc762e6534246a83ffc2a37741ad06e18ee176aa6dbbc85c400080f78f59914c17b2bb32704ae8b360092860feca_0","lines":" value: AKIA2JAPX77RGLB664VE","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation","path":"insecure-chart/templates/workload-security-evaluator.yaml","start":{"line":25,"col":9,"offset":829},"end":{"line":25,"col":24,"offset":844},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":16,"offset":15},"abstract_content":"securityContext"},"$CONTAINER":{"start":{"line":18,"col":15,"offset":468},"end":{"line":18,"col":61,"offset":514},"abstract_content":"(())"},"$SC":{"start":{"line":25,"col":9,"offset":829},"end":{"line":25,"col":24,"offset":844},"abstract_content":"securityContext"}},"message":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the `allowPrivilegeEscalation` parameter to your the `securityContext`, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.","fix":"securityContext:\n allowPrivilegeEscalation: false #","metadata":{"cwe":["CWE-732: Incorrect Permission Assignment for Critical Resource"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"references":["https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation","https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag"],"category":"security","technology":["kubernetes"],"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation","shortlink":"https://sg.run/ljp6","semgrep.dev":{"rule":{"origin":"community","r_id":10057,"rule_id":"6JUqEO","rv_id":947052,"url":"https://semgrep.dev/playground/r/d6TPzeB/yaml.kubernetes.security.allow-privilege-escalation.allow-privilege-escalation","version_id":"d6TPzeB"}}},"severity":"WARNING","fingerprint":"7021c010b8d0b11136f68b6c85d57b318861ada3d7a906b6942146314eb665dcc6e36826b1deb04c3c890bc829879387ca5ebfcd9d6960554f48900e55355b8f_0","lines":" securityContext:","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath","path":"insecure-chart/templates/workload-security-evaluator.yaml","start":{"line":31,"col":9,"offset":990},"end":{"line":32,"col":37,"offset":1036},"extra":{"metavars":{},"message":"Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from hostpath to prevent this.","metadata":{"cwe":["CWE-250: Execution with Unnecessary Privileges"],"references":["https://kubernetes.io/docs/concepts/storage/volumes/#hostpath","https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems","https://kubernetes.io/docs/tasks/configure-pod-container/security-context/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers"],"category":"security","technology":["kubernetes"],"subcategory":["vuln"],"likelihood":"LOW","impact":"HIGH","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath","shortlink":"https://sg.run/v0pR","semgrep.dev":{"rule":{"origin":"community","r_id":10133,"rule_id":"d8Uz6v","rv_id":947054,"url":"https://semgrep.dev/playground/r/nWTpYZe/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath","version_id":"nWTpYZe"}}},"severity":"WARNING","fingerprint":"b0fa2105cf388aaf61f7d9b9f73a03a2342c2992b3a938f4e64785c6ec896ee80151e782d77db28ca4efc171718fee4f95c80bb416c5f8c965787ea2faff9d45_0","lines":" - hostPath:\n path: /var/run/docker.sock","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"dockerfile.security.missing-user-entrypoint.missing-user-entrypoint","path":"insecure-java/Dockerfile","start":{"line":7,"col":1,"offset":130},"end":{"line":7,"col":38,"offset":167},"extra":{"metavars":{"$...VARS":{"start":{"line":7,"col":12,"offset":141},"end":{"line":7,"col":38,"offset":167},"abstract_content":"[\"java\"\"-jar\"\"/app.jar\"]"}},"message":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.","fix":"USER non-root\nENTRYPOINT [\"java\",\"-jar\",\"/app.jar\"]","metadata":{"cwe":["CWE-269: Improper Privilege Management"],"category":"security","technology":["dockerfile"],"confidence":"MEDIUM","owasp":["A04:2021 - Insecure Design"],"references":["https://owasp.org/Top10/A04_2021-Insecure_Design"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint","shortlink":"https://sg.run/k281","semgrep.dev":{"rule":{"origin":"community","r_id":47272,"rule_id":"ReUW9E","rv_id":945268,"url":"https://semgrep.dev/playground/r/K3TJbJg/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint","version_id":"K3TJbJg"}}},"severity":"ERROR","fingerprint":"8a9ae537c70377699ac7b95add8f39d7bc1192dbb0a0a2e524f7a4e126adfa3e0bcc6c074eeb891021d031d42e016675c69dd491f4bc4116bef9ab0dba840233_0","lines":"ENTRYPOINT [\"java\",\"-jar\",\"/app.jar\"]","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"java.spring.security.injection.tainted-sql-string.tainted-sql-string","path":"insecure-java/src/main/java/com/example/catapp/controllers/CatPictureController.java","start":{"line":25,"col":24,"offset":763},"end":{"line":25,"col":80,"offset":819},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":7,"offset":6},"abstract_content":"SELECT"},"$METHODNAME":{"start":{"line":23,"col":19,"offset":652},"end":{"line":23,"col":25,"offset":658},"abstract_content":"search"},"$REQ":{"start":{"line":23,"col":27,"offset":660},"end":{"line":23,"col":39,"offset":672},"abstract_content":"RequestParam"},"$TYPE":{"start":{"line":23,"col":40,"offset":673},"end":{"line":23,"col":46,"offset":679},"abstract_content":"String"},"$SOURCE":{"start":{"line":23,"col":47,"offset":680},"end":{"line":23,"col":51,"offset":684},"abstract_content":"name"},"$SQLSTR":{"start":{"line":25,"col":25,"offset":764},"end":{"line":25,"col":66,"offset":805},"abstract_content":"SELECT * FROM cat_pictures WHERE name = '"}},"message":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.","metadata":{"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection"],"references":["https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html"],"category":"security","technology":["spring"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","interfile":true,"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string","shortlink":"https://sg.run/9rzz","semgrep.dev":{"rule":{"origin":"community","r_id":14767,"rule_id":"10UdRR","rv_id":945745,"url":"https://semgrep.dev/playground/r/8KTKj0G/java.spring.security.injection.tainted-sql-string.tainted-sql-string","version_id":"8KTKj0G"}}},"severity":"ERROR","fingerprint":"972b22c89a9412da436c82ad486252920fb59fae559c701cb90b25028e1799517d5c6797f5fd5a85ab13c3f05366cc2a858bdb566d53fc311eb720b717fae81f_0","lines":" String query = \"SELECT * FROM cat_pictures WHERE name = '\" + name + \"'\";","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-java/src/main/java/com/example/catapp/controllers/CatPictureController.java","start":{"line":23,"col":47,"offset":680},"end":{"line":23,"col":51,"offset":684}},"name"]],"intermediate_vars":[{"location":{"path":"insecure-java/src/main/java/com/example/catapp/controllers/CatPictureController.java","start":{"line":23,"col":47,"offset":680},"end":{"line":23,"col":51,"offset":684}},"content":"name"}],"taint_sink":["CliLoc",[{"path":"insecure-java/src/main/java/com/example/catapp/controllers/CatPictureController.java","start":{"line":25,"col":24,"offset":763},"end":{"line":25,"col":80,"offset":819}},"\"SELECT * FROM cat_pictures WHERE name = '\" + name + \"'\""]]},"engine_kind":"OSS"}},{"check_id":"java.lang.security.audit.object-deserialization.object-deserialization","path":"insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java","start":{"line":16,"col":13,"offset":594},"end":{"line":16,"col":91,"offset":672},"extra":{"metavars":{},"message":"Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.","metadata":{"cwe":["CWE-502: Deserialization of Untrusted Data"],"owasp":["A08:2017 - Insecure Deserialization","A08:2021 - Software and Data Integrity Failures"],"source-rule-url":"https://find-sec-bugs.github.io/bugs.htm#OBJECT_DESERIALIZATION","references":["https://www.owasp.org/index.php/Deserialization_of_untrusted_data","https://www.oracle.com/java/technologies/javase/seccodeguide.html#8"],"category":"security","technology":["java"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Insecure Deserialization "],"source":"https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization","shortlink":"https://sg.run/Ek0A","semgrep.dev":{"rule":{"origin":"community","r_id":9181,"rule_id":"GdU7py","rv_id":945687,"url":"https://semgrep.dev/playground/r/bZTXw4q/java.lang.security.audit.object-deserialization.object-deserialization","version_id":"bZTXw4q"}}},"severity":"WARNING","fingerprint":"774378c1d79256d5bab570074c4a6bf6703250887fca212f1a813ada0f8d5de5e786961d4f0b746e5f6292cc9b46c41ca4308c9367ddf6932267ba763012620e_0","lines":" ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","path":"insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java","start":{"line":16,"col":59,"offset":640},"end":{"line":16,"col":89,"offset":670},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":12,"offset":11},"abstract_content":"RequestBody"},"$RET":{"start":{"line":14,"col":12,"offset":495},"end":{"line":14,"col":34,"offset":517},"abstract_content":"ResponseEntity<String>"},"$METHOD":{"start":{"line":14,"col":35,"offset":518},"end":{"line":14,"col":56,"offset":539},"abstract_content":"unsafeDeserialization"},"$REQ":{"start":{"line":14,"col":58,"offset":541},"end":{"line":14,"col":69,"offset":552},"abstract_content":"RequestBody"},"$TYPE":{"start":{"line":14,"col":70,"offset":553},"end":{"line":14,"col":76,"offset":559},"abstract_content":"byte[]"},"$SOURCE":{"start":{"line":14,"col":77,"offset":560},"end":{"line":14,"col":81,"offset":564},"abstract_content":"data"},"$IN":{"start":{"line":16,"col":59,"offset":640},"end":{"line":16,"col":89,"offset":670},"abstract_content":"new ByteArrayInputStream(data)"}},"message":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.","metadata":{"likelihood":"MEDIUM","impact":"HIGH","confidence":"HIGH","category":"security","subcategory":["vuln"],"cwe":["CWE-502: Deserialization of Untrusted Data"],"cwe2020-top25":true,"cwe2021-top25":true,"cwe2022-top25":true,"display-name":"Unsafe Deserialization with Spring","functional-categories":["deserialization::sink::load-object::apache.commons","deserialization::sink::load-object::java.io","web::source::cookie::Spring","web::source::header::Spring","web::source::http-body::Spring","web::source::http-params::Spring","web::source::url-path-params::Spring"],"owasp":["A08:2017 - Insecure Deserialization","A08:2021 - Software and Data Integrity Failures"],"references":["https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures"],"supersedes":["java.servlets.security.objectinputstream-deserialization-servlets.objectinputstream-deserialization-servlets"],"technology":["Spring","java"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Insecure Deserialization "],"source":"https://semgrep.dev/r/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","shortlink":"https://sg.run/n1rY","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":46836,"rule_id":"x8UbG3","rv_id":973726,"url":"https://semgrep.dev/playground/r/44TZ832/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","version_id":"44TZ832"}}},"severity":"ERROR","fingerprint":"cf7d59dc3cc6ec8769d1ad54d6b20023fdc6a24ee7ca6c8f25038ac25f17038a6b41f6fdc82c002123e671f0a1de733e48b7071ad905fe83c69c36be56df73b4_0","lines":" ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java","start":{"line":14,"col":77,"offset":560},"end":{"line":14,"col":81,"offset":564}},"data"]],"intermediate_vars":[{"location":{"path":"insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java","start":{"line":14,"col":77,"offset":560},"end":{"line":14,"col":81,"offset":564}},"content":"data"}],"taint_sink":["CliLoc",[{"path":"insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java","start":{"line":16,"col":59,"offset":640},"end":{"line":16,"col":89,"offset":670}},"new ByteArrayInputStream(data)"]]},"engine_kind":"OSS"}},{"check_id":"java.lang.security.audit.active-debug-code-printstacktrace.active-debug-code-printstacktrace","path":"insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java","start":{"line":20,"col":13,"offset":870},"end":{"line":20,"col":32,"offset":889},"extra":{"metavars":{"$EXCEPTION":{"start":{"line":20,"col":13,"offset":870},"end":{"line":20,"col":14,"offset":871},"abstract_content":"e"}},"message":"Possible active debug code detected. Deploying an application with debug code can create unintended entry points or expose sensitive information.","metadata":{"likelihood":"LOW","impact":"LOW","confidence":"MEDIUM","category":"security","subcategory":["audit"],"cwe":["CWE-489: Active Debug Code"],"functional-categories":["debug::search::active-debug-code::java.lang"],"owasp":["A10:2004 - Insecure Configuration Management","A06:2017 - Security Misconfiguration","A05:2021 - Security Misconfiguration"],"references":["https://cwe.mitre.org/data/definitions/489.html","https://www.acunetix.com/vulnerabilities/web/stack-trace-disclosure-java/","https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces","https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-information-exposure"],"technology":["java"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Active Debug Code"],"source":"https://semgrep.dev/r/java.lang.security.audit.active-debug-code-printstacktrace.active-debug-code-printstacktrace","shortlink":"https://sg.run/4K8z","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":27144,"rule_id":"v8U0rZ","rv_id":947426,"url":"https://semgrep.dev/playground/r/GxTP0lB/java.lang.security.audit.active-debug-code-printstacktrace.active-debug-code-printstacktrace","version_id":"GxTP0lB"}}},"severity":"WARNING","fingerprint":"2f2eab275674c6639e50192e695448a7c772946f53353aaee757181220ac95afd0f966ae7a8030ed35c10335559cfd3dc575ef1b0469ca831144c249ce451bd9_0","lines":" e.printStackTrace();","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/addComment.html","start":{"line":10,"col":5,"offset":425},"end":{"line":14,"col":12,"offset":705},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":10,"col":57,"offset":477},"end":{"line":10,"col":61,"offset":481},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"5195968eb1be4ef8a2cfa22014b4dca0bacb3cf656e20ede1b9f6636541b678ca576e1417883fcaadd8acac0ab3296c32e9068ecb662d0b91e386e823c8d43df_0","lines":" <form action=\"#\" th:action=\"@{/addComment}\" method=\"post\">\n <label>Comment:</label><br/>\n <textarea name=\"commentText\" rows=\"4\" cols=\"50\"><script>alert('XSS Attack');</script></textarea><br/>\n <button type=\"submit\">Add Comment</button>\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/comments.html","start":{"line":13,"col":13,"offset":452},"end":{"line":16,"col":20,"offset":693},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":13,"col":68,"offset":507},"end":{"line":13,"col":72,"offset":511},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"83efea89720688f163f6bb09d1273d2c4207b38c65d2664660a5f8fa1ebbf337f1ffd9dbcb0351abbd51e711b53269ab547017075f90c945a0ea8c648efe78cf_0","lines":" <form action=\"#\" th:action=\"@{/deleteComment}\" method=\"post\" style=\"display:inline;\">\n <input type=\"hidden\" name=\"commentId\" th:value=\"${comment.id}\" />\n <button type=\"submit\">Delete</button>\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/csrf_attack.html","start":{"line":9,"col":5,"offset":231},"end":{"line":11,"col":12,"offset":381},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":9,"col":64,"offset":290},"end":{"line":9,"col":68,"offset":294},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"a0bb982292e4d85d46ab7d43847c828d7cd9f14c12c773fbbe8ef38baec3a0a1e928441af3b460a47479a4e9b02cf13d7a298d0bc43ff6e93fcd5e5bd6f466e5_0","lines":" <form action=\"http://localhost:8080/deleteComment\" method=\"post\" id=\"csrfForm\">\n <input type=\"hidden\" name=\"commentId\" value=\"1\" />\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/delete.html","start":{"line":10,"col":5,"offset":366},"end":{"line":13,"col":12,"offset":562},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":10,"col":53,"offset":414},"end":{"line":10,"col":57,"offset":418},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"67d4cf1e50c6d8501e12adbe719f860782fb3b95872d174bd05fc16b23a18b575bea13c5bfa1d015c18ca55d2227d050dc25c734e4a26c4ebaa21c6242e07c20_0","lines":" <form action=\"#\" th:action=\"@{/delete}\" method=\"post\">\n <label>Picture ID: <input type=\"number\" name=\"id\" value=\"1\" /></label><br/>\n <button type=\"submit\">Delete</button>\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/editProfile.html","start":{"line":10,"col":5,"offset":374},"end":{"line":15,"col":12,"offset":751},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":10,"col":58,"offset":427},"end":{"line":10,"col":62,"offset":431},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"50a333ae413c799b7d987efae64cf4bb1fd7dc290892f4dee02d5a3f60d4dcd449315a3e482a24eeca40411070879da85104760ab26a458c5c86ef7258207a34_0","lines":" <form action=\"#\" th:action=\"@{/editProfile}\" method=\"post\">\n <input type=\"hidden\" name=\"userId\" th:value=\"${user.id}\" />\n <label>Username: <input type=\"text\" name=\"username\" th:value=\"${user.username}\" /></label><br/>\n <label>Password: <input type=\"password\" name=\"password\" /></label><br/>\n <button type=\"submit\">Update Profile</button>\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/login.html","start":{"line":10,"col":5,"offset":362},"end":{"line":14,"col":12,"offset":662},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":10,"col":52,"offset":409},"end":{"line":10,"col":56,"offset":413},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"593d8048e3230f2f0fc122a66bf700f2fc4082170f52d319ec60abf29e3c47dcbe4341103ad3aace692bc30ca3a768fa687c5b5fb022c6b7b875bdf6aab94ccd_0","lines":" <form action=\"#\" th:action=\"@{/login}\" method=\"post\">\n <label>Username: <input type=\"text\" name=\"username\" value=\"user1\" /></label><br/>\n <label>Password: <input type=\"password\" name=\"password\" value=\"password123\" /></label><br/>\n <button type=\"submit\">Login</button>\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/register.html","start":{"line":10,"col":5,"offset":383},"end":{"line":14,"col":12,"offset":689},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":10,"col":55,"offset":433},"end":{"line":10,"col":59,"offset":437},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"966463a3a41588664e521d7b9641485c1573953f142a6a46199e114a0dddb3815617a2b6c2ed33569aa81d0ae57e1af6704692f376df4d5f396d9fe9ebdc041e_0","lines":" <form action=\"#\" th:action=\"@{/register}\" method=\"post\">\n <label>Username: <input type=\"text\" name=\"username\" value=\"user1\" /></label><br/>\n <label>Password: <input type=\"password\" name=\"password\" value=\"password123\" /></label><br/>\n <button type=\"submit\">Register</button>\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"python.django.security.django-no-csrf-token.django-no-csrf-token","path":"insecure-java/src/main/resources/templates/search.html","start":{"line":10,"col":5,"offset":392},"end":{"line":13,"col":12,"offset":592},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":5,"offset":4},"abstract_content":"post"},"$METHOD":{"start":{"line":10,"col":53,"offset":440},"end":{"line":10,"col":57,"offset":444},"abstract_content":"post"}},"message":"Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.","metadata":{"category":"security","cwe":"CWE-352: Cross-Site Request Forgery (CSRF)","references":["https://docs.djangoproject.com/en/4.2/howto/csrf/"],"confidence":"MEDIUM","likelihood":"MEDIUM","impact":"MEDIUM","subcategory":["audit"],"technology":["django"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site Request Forgery (CSRF)"],"source":"https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token","shortlink":"https://sg.run/N0Bp","semgrep.dev":{"rule":{"origin":"community","r_id":73471,"rule_id":"PeUyYG","rv_id":946160,"url":"https://semgrep.dev/playground/r/BjT1NRl/python.django.security.django-no-csrf-token.django-no-csrf-token","version_id":"BjT1NRl"}}},"severity":"WARNING","fingerprint":"b27e6297157b64351971325aa01d93bcbe09743a223a78cc98fad9eea9c1bdd310d078908dc9e0133d6ede7a975b687dcb74872bd980aeb587f2d07896a27f3d_0","lines":" <form action=\"#\" th:action=\"@{/search}\" method=\"post\">\n <label>Name: <input type=\"text\" name=\"name\" value=\"' OR '1'='1\" /></label><br/>\n <button type=\"submit\">Search</button>\n </form>","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"dockerfile.security.missing-user.missing-user","path":"insecure-js/Dockerfile","start":{"line":18,"col":1,"offset":374},"end":{"line":18,"col":61,"offset":434},"extra":{"metavars":{"$...VARS":{"start":{"line":18,"col":5,"offset":378},"end":{"line":18,"col":61,"offset":434},"abstract_content":"[\"/bin/bash\"\"-c\"\"node init_db.js && node server.js\"]"}},"message":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.","fix":"USER non-root\nCMD [\"/bin/bash\", \"-c\", \"node init_db.js && node server.js\"]","metadata":{"cwe":["CWE-269: Improper Privilege Management"],"category":"security","technology":["dockerfile"],"confidence":"MEDIUM","owasp":["A04:2021 - Insecure Design"],"references":["https://owasp.org/Top10/A04_2021-Insecure_Design"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","shortlink":"https://sg.run/Gbvn","semgrep.dev":{"rule":{"origin":"community","r_id":20148,"rule_id":"AbUN06","rv_id":945269,"url":"https://semgrep.dev/playground/r/qkT4j4L/dockerfile.security.missing-user.missing-user","version_id":"qkT4j4L"}}},"severity":"ERROR","fingerprint":"17bfeb542b41e1a3b365f57addec89078df51ed337059333e17baea012db6a0ba27a2c6e96c39339de27f37a1f0d11dc59afe66507952280577e0c251121aea9_0","lines":"CMD [\"/bin/bash\", \"-c\", \"node init_db.js && node server.js\"]","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","path":"insecure-js/server.js","start":{"line":14,"col":43,"offset":470},"end":{"line":19,"col":2,"offset":558},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":6,"offset":5},"abstract_content":"mysql"},"$IMPORT":{"start":{"line":9,"col":24,"offset":335},"end":{"line":9,"col":30,"offset":341},"abstract_content":"mysql2"},"$MYSQL":{"start":{"line":14,"col":20,"offset":447},"end":{"line":14,"col":25,"offset":452},"abstract_content":"mysql"},"$FOO":{"start":{"line":14,"col":43,"offset":470},"end":{"line":19,"col":2,"offset":558},"abstract_content":"{host'localhost'user'root'password'topsecret'database'database'}"}},"message":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).","metadata":{"likelihood":"HIGH","impact":"MEDIUM","confidence":"HIGH","interfile":true,"category":"security","subcategory":["vuln"],"cwe":["CWE-798: Use of Hard-coded Credentials"],"cwe2021-top25":true,"cwe2022-top25":true,"owasp":["A07:2021 - Identification and Authentication Failures"],"references":["https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"],"technology":["mysql","sql","mysql2","nodejs","secrets"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","shortlink":"https://sg.run/GJ36","semgrep.dev":{"rule":{"origin":"pro_rules","r_id":28092,"rule_id":"6JU2k0","rv_id":947639,"url":"https://semgrep.dev/playground/r/6xTxqAx/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","version_id":"6xTxqAx"}}},"severity":"WARNING","fingerprint":"baf7218efa62e1dd69d2ce4895d7e8bfd17647550fb906065e0ca20d0c7bd716586bc35a7c75723f2638c68a856e7f72ef54ff56ad6cc4256bb604d76a2680fb_0","lines":"const connection = mysql.createConnection({\n host: 'localhost',\n user: 'root',\n password: 'topsecret',\n database: 'database'\n});","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-js/server.js","start":{"line":14,"col":43,"offset":470},"end":{"line":19,"col":2,"offset":558}},"{\n host: 'localhost',\n user: 'root',\n password: 'topsecret',\n database: 'database'\n}"]],"intermediate_vars":[],"taint_sink":["CliLoc",[{"path":"insecure-js/server.js","start":{"line":14,"col":43,"offset":470},"end":{"line":19,"col":2,"offset":558}},"{\n host: 'localhost',\n user: 'root',\n password: 'topsecret',\n database: 'database'\n}"]]},"engine_kind":"OSS"}},{"check_id":"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","path":"insecure-js/server.js","start":{"line":32,"col":16,"offset":812},"end":{"line":32,"col":20,"offset":816},"extra":{"metavars":{"$HTTP":{"start":{"line":32,"col":16,"offset":812},"end":{"line":32,"col":20,"offset":816},"abstract_content":"http","propagated_value":{"svalue_start":{"line":1,"col":14,"offset":13},"svalue_end":{"line":1,"col":29,"offset":28},"svalue_abstract_content":"require('http')"}},"$FUNC":{"start":{"line":32,"col":21,"offset":817},"end":{"line":32,"col":33,"offset":829},"abstract_content":"createServer"}},"message":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.","metadata":{"likelihood":"LOW","impact":"MEDIUM","confidence":"LOW","category":"security","cwe":"CWE-319: Cleartext Transmission of Sensitive Information","owasp":["A02:2021 - Cryptographic Failures","A03:2017 - Sensitive Data Exposure"],"references":["https://nodejs.org/api/http.html#http_class_http_agent","https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY"],"subcategory":["audit"],"technology":["node.js"],"vulnerability":"Insecure Transport","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Mishandled Sensitive Information"],"source":"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","shortlink":"https://sg.run/x1zL","semgrep.dev":{"rule":{"origin":"community","r_id":9430,"rule_id":"7KUQAE","rv_id":946074,"url":"https://semgrep.dev/playground/r/WrTEo9B/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","version_id":"WrTEo9B"}}},"severity":"WARNING","fingerprint":"25f273fc22088aa83a6bcdb5e495f0d9abcc81ab7bb2c8840d8caef623755dee7582a03375f2b95a717319b7e6fe70f6767b0cd32f7a35aa4b8a869a33404094_0","lines":"const server = http.createServer((req, res) => {","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","path":"insecure-js/server.js","start":{"line":79,"col":30,"offset":2673},"end":{"line":79,"col":35,"offset":2678},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":6,"offset":5},"abstract_content":"mysql"},"$IMPORT":{"start":{"line":9,"col":24,"offset":335},"end":{"line":9,"col":30,"offset":341},"abstract_content":"mysql2"},"$Y":{"start":{"line":46,"col":15,"offset":1315},"end":{"line":46,"col":20,"offset":1320},"abstract_content":"chunk"},"$POOL":{"start":{"line":79,"col":13,"offset":2656},"end":{"line":79,"col":23,"offset":2666},"abstract_content":"connection","propagated_value":{"svalue_start":{"line":14,"col":20,"offset":447},"svalue_end":{"line":19,"col":3,"offset":559},"svalue_abstract_content":"mysql.createConnection({host'localhost'user'root'password'topsecret'database'database'})"}},"$QUERY":{"start":{"line":79,"col":30,"offset":2673},"end":{"line":79,"col":35,"offset":2678},"abstract_content":"query","propagated_value":{"svalue_start":{"line":76,"col":27,"offset":2484},"svalue_end":{"line":76,"col":100,"offset":2557},"svalue_abstract_content":"`SELECT product FROM Orders WHERE orderNumber = postData.orderNumber3;"}}},"message":"Detected a `mysql2` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"references":["https://www.npmjs.com/package/mysql2","https://www.npmjs.com/package/mysql","https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"],"category":"security","owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"confidence":"LOW","technology":["mysql","mysql2","javascript","nodejs"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","shortlink":"https://sg.run/Y0oy","semgrep.dev":{"rule":{"origin":"community","r_id":18258,"rule_id":"ZqUlWE","rv_id":945881,"url":"https://semgrep.dev/playground/r/pZTNOvL/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","version_id":"pZTNOvL"}}},"severity":"WARNING","fingerprint":"2d01e39dae8915db035e9c4d1828fa6a0e06887ddbe6074b9a234715227211951dcef04cf170f822d76fc259ccb09fa47a4a4ce646d60b44e40db931cd58951e_0","lines":" connection.query(query, (err, rows) => {","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-js/server.js","start":{"line":46,"col":15,"offset":1315},"end":{"line":46,"col":20,"offset":1320}},"chunk"]],"intermediate_vars":[{"location":{"path":"insecure-js/server.js","start":{"line":46,"col":7,"offset":1307},"end":{"line":46,"col":11,"offset":1311}},"content":"body"},{"location":{"path":"insecure-js/server.js","start":{"line":50,"col":13,"offset":1386},"end":{"line":50,"col":21,"offset":1394}},"content":"postData"},{"location":{"path":"insecure-js/server.js","start":{"line":76,"col":19,"offset":2476},"end":{"line":76,"col":24,"offset":2481}},"content":"query"}],"taint_sink":["CliLoc",[{"path":"insecure-js/server.js","start":{"line":79,"col":30,"offset":2673},"end":{"line":79,"col":35,"offset":2678}},"query"]]},"engine_kind":"OSS"}},{"check_id":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","path":"insecure-js/server.js","start":{"line":113,"col":54,"offset":4152},"end":{"line":113,"col":59,"offset":4157},"extra":{"metavars":{"$1":{"start":{"line":1,"col":1,"offset":0},"end":{"line":1,"col":6,"offset":5},"abstract_content":"mysql"},"$IMPORT":{"start":{"line":9,"col":24,"offset":335},"end":{"line":9,"col":30,"offset":341},"abstract_content":"mysql2"},"$Y":{"start":{"line":46,"col":15,"offset":1315},"end":{"line":46,"col":20,"offset":1320},"abstract_content":"chunk"},"$POOL":{"start":{"line":113,"col":38,"offset":4136},"end":{"line":113,"col":47,"offset":4145},"abstract_content":"sequelize"},"$QUERY":{"start":{"line":113,"col":54,"offset":4152},"end":{"line":113,"col":59,"offset":4157},"abstract_content":"query","propagated_value":{"svalue_start":{"line":112,"col":31,"offset":4024},"svalue_end":{"line":112,"col":103,"offset":4096},"svalue_abstract_content":"`SELECT product FROM Orders WHERE orderNumber = postData.orderNumber;"}}},"message":"Detected a `mysql2` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"references":["https://www.npmjs.com/package/mysql2","https://www.npmjs.com/package/mysql","https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html"],"category":"security","owasp":["A01:2017 - Injection","A03:2021 - Injection"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"confidence":"LOW","technology":["mysql","mysql2","javascript","nodejs"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","shortlink":"https://sg.run/Y0oy","semgrep.dev":{"rule":{"origin":"community","r_id":18258,"rule_id":"ZqUlWE","rv_id":945881,"url":"https://semgrep.dev/playground/r/pZTNOvL/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","version_id":"pZTNOvL"}}},"severity":"WARNING","fingerprint":"192d429b8a30292ccf16cfe9d2d1db978ed74d1715877c34ef02cf1a9e6515afa439afe693dbcdec53f2da530a69e10d400e79461386613f1dc0f24c3a92516a_0","lines":" const result = await sequelize.query(query, { type: sequelize.QueryTypes.SELECT });","is_ignored":false,"validation_state":"NO_VALIDATOR","dataflow_trace":{"taint_source":["CliLoc",[{"path":"insecure-js/server.js","start":{"line":46,"col":15,"offset":1315},"end":{"line":46,"col":20,"offset":1320}},"chunk"]],"intermediate_vars":[{"location":{"path":"insecure-js/server.js","start":{"line":46,"col":7,"offset":1307},"end":{"line":46,"col":11,"offset":1311}},"content":"body"},{"location":{"path":"insecure-js/server.js","start":{"line":50,"col":13,"offset":1386},"end":{"line":50,"col":21,"offset":1394}},"content":"postData"},{"location":{"path":"insecure-js/server.js","start":{"line":112,"col":23,"offset":4016},"end":{"line":112,"col":28,"offset":4021}},"content":"query"}],"taint_sink":["CliLoc",[{"path":"insecure-js/server.js","start":{"line":113,"col":54,"offset":4152},"end":{"line":113,"col":59,"offset":4157}},"query"]]},"engine_kind":"OSS"}},{"check_id":"generic.secrets.security.detected-generic-secret.detected-generic-secret","path":"pixee-snyk.sarif.json","start":{"line":1161,"col":34,"offset":58301},"end":{"line":1161,"col":77,"offset":58344},"extra":{"metavars":{"$1":{"start":{"line":1161,"col":44,"offset":58311},"end":{"line":1161,"col":76,"offset":58343},"abstract_content":"54efcbaed7f64673bc93b4e28ca9e8b2"},"$SECRET":{"start":{"line":1161,"col":44,"offset":58311},"end":{"line":1161,"col":76,"offset":58343},"abstract_content":"54efcbaed7f64673bc93b4e28ca9e8b2"}},"message":"Generic Secret detected","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"source-rule-url":"https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json","category":"security","technology":["secrets"],"confidence":"LOW","owasp":["A07:2021 - Identification and Authentication Failures"],"references":["https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret","shortlink":"https://sg.run/l2o5","semgrep.dev":{"rule":{"origin":"community","r_id":9057,"rule_id":"r6Urqe","rv_id":945495,"url":"https://semgrep.dev/playground/r/nWTpzQ5/generic.secrets.security.detected-generic-secret.detected-generic-secret","version_id":"nWTpzQ5"}}},"severity":"ERROR","fingerprint":"f879560bcbc4258c64b234926e28b027eef209945161079c870fe723a618a7e7adacb5057b293aafcdb01589e6c8ade4145a13d98b329903cf36c0c497212537_0","lines":" \"line\": \"secret = '54efcbaed7f64673bc93b4e28ca9e8b2'\\n\",","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"dockerfile.security.missing-user.missing-user","path":"workload-security-evaluator/Dockerfile","start":{"line":27,"col":1,"offset":1035},"end":{"line":27,"col":26,"offset":1060},"extra":{"metavars":{"$...VARS":{"start":{"line":27,"col":5,"offset":1039},"end":{"line":27,"col":26,"offset":1060},"abstract_content":"[\"sleep\"\"infinity\"]"}},"message":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.","fix":"USER non-root\nCMD [\"sleep\", \"infinity\"]","metadata":{"cwe":["CWE-269: Improper Privilege Management"],"category":"security","technology":["dockerfile"],"confidence":"MEDIUM","owasp":["A04:2021 - Insecure Design"],"references":["https://owasp.org/Top10/A04_2021-Insecure_Design"],"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/dockerfile.security.missing-user.missing-user","shortlink":"https://sg.run/Gbvn","semgrep.dev":{"rule":{"origin":"community","r_id":20148,"rule_id":"AbUN06","rv_id":945269,"url":"https://semgrep.dev/playground/r/qkT4j4L/dockerfile.security.missing-user.missing-user","version_id":"qkT4j4L"}}},"severity":"ERROR","fingerprint":"555290a284929b279e6f45a6514944a53073e36328d74be327eaa29f8d1e7c3df817bf90428c50fdb8b54a5c6e6f7c71f123e56a85e517ba94255a0823c69966_0","lines":"CMD [\"sleep\", \"infinity\"]","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.docker-compose.security.no-new-privileges.no-new-privileges","path":"workload-security-evaluator/docker-compose.yaml","start":{"line":3,"col":3,"offset":25},"end":{"line":3,"col":10,"offset":32},"extra":{"metavars":{"$SERVICE":{"start":{"line":3,"col":3,"offset":25},"end":{"line":3,"col":10,"offset":32},"abstract_content":"datadog"}},"message":"Service 'datadog' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.","metadata":{"cwe":["CWE-732: Incorrect Permission Assignment for Critical Resource"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"references":["https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/","https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag"],"category":"security","technology":["docker-compose"],"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges","shortlink":"https://sg.run/0n8q","semgrep.dev":{"rule":{"origin":"community","r_id":10054,"rule_id":"qNUoWr","rv_id":947034,"url":"https://semgrep.dev/playground/r/o5TZz4P/yaml.docker-compose.security.no-new-privileges.no-new-privileges","version_id":"o5TZz4P"}}},"severity":"WARNING","fingerprint":"b47157b1d64b1a76c53cc5dd1f06b3afde2735933d6d375b13958d5f51040eb23d0a6e752940e4da63cade63e2058ab1b74a19d612ba86ca358c6e8fbb6490c4_0","lines":" datadog:","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service","path":"workload-security-evaluator/docker-compose.yaml","start":{"line":3,"col":3,"offset":25},"end":{"line":3,"col":10,"offset":32},"extra":{"metavars":{"$SERVICE":{"start":{"line":3,"col":3,"offset":25},"end":{"line":3,"col":10,"offset":32},"abstract_content":"datadog"}},"message":"Service 'datadog' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'read_only: true' to this service to prevent this.","metadata":{"cwe":["CWE-732: Incorrect Permission Assignment for Critical Resource"],"owasp":["A05:2021 - Security Misconfiguration","A06:2017 - Security Misconfiguration"],"references":["https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir","https://blog.atomist.com/security-of-docker-kubernetes/","https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only"],"category":"security","technology":["docker-compose"],"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"HIGH","confidence":"LOW","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Improper Authorization"],"source":"https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service","shortlink":"https://sg.run/e4JE","semgrep.dev":{"rule":{"origin":"community","r_id":10132,"rule_id":"v8U5vN","rv_id":947038,"url":"https://semgrep.dev/playground/r/X0TLZd0/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service","version_id":"X0TLZd0"}}},"severity":"WARNING","fingerprint":"e9d9e08a46c082226f812a75426196affa743ba5a7a099525848865763a414f67eae5dedc077795dca06ad996e34491de37e3268cae1efe87a7c292e715b6d8d_0","lines":" datadog:","is_ignored":false,"validation_state":"NO_VALIDATOR","engine_kind":"OSS"}}],"errors":[{"code":2,"level":"warn","type":"Internal matching error","rule_id":"javascript.express.web.cors-default-config-express.cors-default-config-express","message":"Internal matching error when running javascript.express.web.cors-default-config-express.cors-default-config-express on insecure-js/init_db.js:\n An error occurred while invoking the Semgrep engine. Please help us fix this by creating an issue at https://github.com/returntocorp/semgrep\n\nsemgrep-internal-metavariable-name operator is only supported in the Pro engine","path":"insecure-js/init_db.js"},{"code":3,"level":"warn","type":["PartialParsing",[{"path":"insecure-java/gradlew","start":{"line":72,"col":5,"offset":0},"end":{"line":72,"col":93,"offset":88}},{"path":"insecure-java/gradlew","start":{"line":178,"col":5,"offset":0},"end":{"line":178,"col":15,"offset":10}}]],"message":"Syntax error at line insecure-java/gradlew:72:\n `APP_HOME=${app_path%\"${app_path##*/}\"} # leaves a trailing /; empty if no leading path\n` was unexpected","path":"insecure-java/gradlew","spans":[{"file":"insecure-java/gradlew","start":{"line":72,"col":5,"offset":0},"end":{"line":72,"col":93,"offset":88}},{"file":"insecure-java/gradlew","start":{"line":178,"col":5,"offset":0},"end":{"line":178,"col":15,"offset":10}}]},{"code":3,"level":"warn","type":["PartialParsing",[{"path":"insecure-app/Dockerfile","start":{"line":26,"col":13,"offset":0},"end":{"line":26,"col":15,"offset":2}},{"path":"insecure-app/Dockerfile","start":{"line":26,"col":28,"offset":0},"end":{"line":26,"col":45,"offset":17}}]],"message":"Syntax error at line insecure-app/Dockerfile:26:\n `-m` was unexpected","path":"insecure-app/Dockerfile","spans":[{"file":"insecure-app/Dockerfile","start":{"line":26,"col":13,"offset":0},"end":{"line":26,"col":15,"offset":2}},{"file":"insecure-app/Dockerfile","start":{"line":26,"col":28,"offset":0},"end":{"line":26,"col":45,"offset":17}}]},{"code":2,"level":"warn","type":"Other syntax error","message":"Other syntax error at line insecure-chart/templates/insecure-java.yaml:40:\n (approximate error location; error nearby after) error calling parser: did not find expected key character 0 position 0 returned: 0","path":"insecure-chart/templates/insecure-java.yaml"},{"code":2,"level":"warn","type":"Other syntax error","message":"Other syntax error at line insecure-chart/templates/insecure-app-js.yaml:40:\n (approximate error location; error nearby after) error calling parser: did not find expected key character 0 position 0 returned: 0","path":"insecure-chart/templates/insecure-app-js.yaml"},{"code":2,"level":"warn","type":"Internal matching error","rule_id":"javascript.express.web.cors-default-config-express.cors-default-config-express","message":"Internal matching error when running javascript.express.web.cors-default-config-express.cors-default-config-express on insecure-js/server.js:\n An error occurred while invoking the Semgrep engine. Please help us fix this by creating an issue at https://github.com/returntocorp/semgrep\n\nsemgrep-internal-metavariable-name operator is only supported in the Pro engine","path":"insecure-js/server.js"}],"paths":{"scanned":[".dryrunsecurity.yaml",".env",".github/workflows/amplify.yml",".github/workflows/backslash.yml",".github/workflows/pixee.yml",".github/workflows/publish-insecure.yml",".gitignore",".gitmodules","CODEOWNERS","README.md","insecure-api/Dockerfile","insecure-api/README","insecure-api/database.py","insecure-api/main.py","insecure-api/models.py","insecure-api/requirements.txt","insecure-api/stackhawk.yml","insecure-api/videogames.db","insecure-app/Dockerfile","insecure-app/app.py","insecure-app/bom.json","insecure-app/init_db.py","insecure-app/ransomware.py","insecure-app/requirements.txt","insecure-app/tutorial.db","insecure-chart/.helmignore","insecure-chart/Chart.yaml","insecure-chart/templates/busybox.yaml","insecure-chart/templates/insecure-app-js.yaml","insecure-chart/templates/insecure-app.yaml","insecure-chart/templates/insecure-java.yaml","insecure-chart/templates/workload-security-evaluator.yaml","insecure-chart/terraform.tfstate","insecure-chart/values.yaml","insecure-java/.gitignore","insecure-java/Dockerfile","insecure-java/Exploit.java","insecure-java/README.md","insecure-java/build.gradle","insecure-java/gradle/wrapper/gradle-wrapper.jar","insecure-java/gradle/wrapper/gradle-wrapper.properties","insecure-java/gradlew","insecure-java/gradlew.bat","insecure-java/settings.gradle","insecure-java/snyk_insecure-java.json","insecure-java/src/main/java/com/example/catapp/CatAppApplication.java","insecure-java/src/main/java/com/example/catapp/CatApplication.java","insecure-java/src/main/java/com/example/catapp/config/GlobalExceptionHandler.java","insecure-java/src/main/java/com/example/catapp/controllers/CatPictureController.java","insecure-java/src/main/java/com/example/catapp/controllers/CommentController.java","insecure-java/src/main/java/com/example/catapp/controllers/HomeController.java","insecure-java/src/main/java/com/example/catapp/controllers/UserController.java","insecure-java/src/main/java/com/example/catapp/models/CatPicture.java","insecure-java/src/main/java/com/example/catapp/models/Comment.java","insecure-java/src/main/java/com/example/catapp/models/User.java","insecure-java/src/main/java/com/example/catapp/repositories/CatPictureRepository.java","insecure-java/src/main/java/com/example/catapp/repositories/CommentRepository.java","insecure-java/src/main/java/com/example/catapp/repositories/UserRepository.java","insecure-java/src/main/java/com/example/insecurejava/InsecureJavaApplication.java","insecure-java/src/main/java/com/example/insecurejava/UnsafeDeserializationController.java","insecure-java/src/main/resources/application.properties","insecure-java/src/main/resources/templates/addComment.html","insecure-java/src/main/resources/templates/addCommentResult.html","insecure-java/src/main/resources/templates/comments.html","insecure-java/src/main/resources/templates/csrf_attack.html","insecure-java/src/main/resources/templates/delete.html","insecure-java/src/main/resources/templates/deleteResult.html","insecure-java/src/main/resources/templates/editProfile.html","insecure-java/src/main/resources/templates/home.html","insecure-java/src/main/resources/templates/layout.html","insecure-java/src/main/resources/templates/login.html","insecure-java/src/main/resources/templates/loginResult.html","insecure-java/src/main/resources/templates/profile.html","insecure-java/src/main/resources/templates/register.html","insecure-java/src/main/resources/templates/registerResult.html","insecure-java/src/main/resources/templates/search.html","insecure-java/src/main/resources/templates/searchResults.html","insecure-js/Dockerfile","insecure-js/data.db","insecure-js/init_db.js","insecure-js/package-lock.json","insecure-js/package.json","insecure-js/server.js","insecure-js/snyk.sarif","insecure-js/styles.css","llm-testing/llm-testing.py","llm-testing/openai-test.py","pixee-snyk.sarif.json","terraform/main.tf","terraform/outputs.tf","terraform/terraform.tf","terraform/variables.tf","workload-security-evaluator/Dockerfile","workload-security-evaluator/LICENSE","workload-security-evaluator/LICENSE-3rdparty.csv","workload-security-evaluator/NOTICE","workload-security-evaluator/README.md","workload-security-evaluator/docker-compose.yaml","workload-security-evaluator/notrelevant.md","workload-security-evaluator/notrelevant_layer.json"]},"interfile_languages_used":[],"skipped_rules":[]} | |||
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Generic Secret detected
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detected-generic-secret.
You can view more details about this finding in the Semgrep AppSec Platform.
| """, output=output) | ||
|
|
||
| if __name__ == '__main__': | ||
| app.run(host='0.0.0.0', port=8080, debug=True) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by debug-enabled.
You can view more details about this finding in the Semgrep AppSec Platform.
| name: s-5 | ||
| spec: | ||
| containers: | ||
| - name: s-5 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain setuid or setgid binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a securityContext to the container in the pod, with the parameter allowPrivilegeEscalation set to false. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a securityContext to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.
To resolve this comment:
💡 Follow autofix suggestion
Suggested change
| - name: s-5 | |
| - securityContext: | |
| allowPrivilegeEscalation: false | |
| name: s-5 |
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by allow-privilege-escalation-no-securitycontext.
You can view more details about this finding in the Semgrep AppSec Platform.
Comment on lines
+14
to
+19
| const connection = mysql.createConnection({ | ||
| host: 'localhost', | ||
| user: 'root', | ||
| password: 'topsecret', | ||
| database: 'database' | ||
| }); |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-js/server2.js</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-js/server2.js#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] {<br> host: 'localhost',<br> user: 'root',<br> password: 'topsecret',<br> database: 'database'<br>}</a>"]
end
%% Intermediate
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-js/server2.js#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] {<br> host: 'localhost',<br> user: 'root',<br> password: 'topsecret',<br> database: 'database'<br>}</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
File0:::invis
%% Connections
Source --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by node-mysql-hardcoded-secret.
You can view more details about this finding in the Semgrep AppSec Platform.
| const hostname = '0.0.0.0'; | ||
| const port = 3000; | ||
|
|
||
| const server = http.createServer((req, res) => { |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by using-http-server.
You can view more details about this finding in the Semgrep AppSec Platform.
| value: AKIA2JAPX77RGLB664VE | ||
| - name: AWS_SECRET_ACCESS_KEY | ||
| value: v5xpjkWYoy45fGKFSMajSn+sqs22WI2niacX9yO5 | ||
| securityContext: |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain setuid or setgid binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a securityContext to the container in the pod, with the parameter allowPrivilegeEscalation set to false. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding the allowPrivilegeEscalation parameter to your the securityContext, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.
To resolve this comment:
💡 Follow autofix suggestion
Suggested change
| securityContext: | |
| securityContext: | |
| allowPrivilegeEscalation: false #: |
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by allow-privilege-escalation.
You can view more details about this finding in the Semgrep AppSec Platform.
| """, output=output) | ||
|
|
||
| if __name__ == '__main__': | ||
| app.run(host='0.0.0.0', port=8080, debug=True) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Running flask app with host 0.0.0.0 could expose the server publicly.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by avoid_app_run_with_bad_host.
You can view more details about this finding in the Semgrep AppSec Platform.
Comment on lines
+32
to
+33
| hostPath: | ||
| path: /var/run/docker.sock |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from hostpath to prevent this.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by exposing-docker-socket-hostpath.
You can view more details about this finding in the Semgrep AppSec Platform.
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) | ||
| cursor.execute(query) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected possible formatted SQL query. Use parameterized queries instead.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by formatted-sql-query.
You can view more details about this finding in the Semgrep AppSec Platform.
| @PostMapping("/unsafeDeserialize") | ||
| public ResponseEntity<String> unsafeDeserialization(@RequestBody byte[] data) { | ||
| try { | ||
| ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data)); |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by object-deserialization.
You can view more details about this finding in the Semgrep AppSec Platform.
| # 2 - Command Injection | ||
| if 'command' in request.form: | ||
| cmd = request.form['command'] | ||
| process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected user input entering a subprocess call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L30 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 30] request.form['command']</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L30 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 30] cmd</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L31 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 31] subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
✨ Commit Assistant fix suggestion
Suggested change
| process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) | |
| # Define a dictionary of allowed commands | |
| allowed_commands = { | |
| 'list': ['ls', '-l'], | |
| 'date': ['date'] | |
| } | |
| if 'command' in request.form: | |
| cmd_key = request.form['command'] | |
| cmd = allowed_commands.get(cmd_key) | |
| if cmd is not None: | |
| # Execute the allowed command | |
| process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) | |
| stdout, stderr = process.communicate() | |
| if process.returncode == 0: | |
| output = stdout.decode('utf-8') | |
| else: | |
| output = f"Error (Exit Code: {process.returncode}):\n{stderr.decode('utf-8')}" | |
| else: | |
| output = "Error: Command not allowed." |
View step-by-step instructions
- Avoid using
shell=Truein thesubprocess.Popencall. This can be done by passing the command as a list of arguments instead of a single string. - Create a dictionary of allowed commands to ensure only safe commands are executed. For example,
allowed_commands = {'list': ['ls', '-l'], 'date': ['date']}. - Retrieve the command from the form and check if it is in the allowed commands dictionary. For example,
cmd_key = request.form['command']andcmd = allowed_commands.get(cmd_key). - If the command is not allowed, return an error message or handle it appropriately.
- If the command is allowed, execute it using
subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)withoutshell=True.
This approach ensures that only predefined, safe commands can be executed, preventing command injection vulnerabilities.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by subprocess-injection.
You can view more details about this finding in the Semgrep AppSec Platform.
| username = '' | ||
| password = '' | ||
| try: | ||
| cursor.execute("SELECT * FROM users WHERE username = '%s' AND password = '%s'" % (username, password)) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected possible formatted SQL query. Use parameterized queries instead.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by formatted-sql-query.
You can view more details about this finding in the Semgrep AppSec Platform.
| def fetch_url_content(url: str): | ||
| # Vulnerability: No validation of the URL (API10:2019 - Unsafe Consumption of APIs) | ||
| try: | ||
| response = requests.get(url) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-api/main-2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-api/main-2.py#L202 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 202] url</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-api/main-2.py#L202 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 202] url</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-api/main-2.py#L205 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 205] url</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-fastapi-http-request-requests.
You can view more details about this finding in the Semgrep AppSec Platform.
| const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber3};`; | ||
| responseMessages.push(`<p>Executing SQL query: ${query}</p>`); | ||
|
|
||
| connection.query(query, (err, rows) => { |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected a mysql2 SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-js/server2.js</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] chunk</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] body</a>"]
v3["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-js/server2.js#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] body</a>"]
v4["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-js/server2.js#L50 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 50] postData</a>"]
v5["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-js/server2.js#L76 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 76] query</a>"]
end
v2 --> v3
v3 --> v4
v4 --> v5
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-js/server2.js#L79 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 79] query</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by node-mysql-sqli.
You can view more details about this finding in the Semgrep AppSec Platform.
|
|
||
| # Example hardcoded AWS credentials (sensitive data leakage) | ||
| aws_access_key_id = 'AKIA2JAPX77RGLB664VE' | ||
| aws_secret = 'v5xpjkWYoy45fGKFSMajSn+sqs22WI2niacX9yO5' |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
AWS Secret Access Key detected
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detected-aws-secret-access-key.
You can view more details about this finding in the Semgrep AppSec Platform.
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) | ||
| cursor.execute(query) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] request.form['username']</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] username</a>"]
v3["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L90 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 90] query</a>"]
end
v2 --> v3
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L91 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 91] cursor.execute(query)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by flask-without-url-path-prestodb-sqli.
You can view more details about this finding in the Semgrep AppSec Platform.
| try: | ||
| # Vulnerable SQL query using string interpolation | ||
| query = "SELECT password FROM users WHERE username = '{}'".format(username) | ||
| cursor.execute(query) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] request.form['username']</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L87 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 87] username</a>"]
v3["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L90 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 90] query</a>"]
end
v2 --> v3
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L91 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 91] cursor.execute(query)</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by flask-prestodb-sqli.
You can view more details about this finding in the Semgrep AppSec Platform.
Comment on lines
+78
to
+83
| url = request.form['url'] | ||
| try: | ||
| response = requests.get(url) | ||
| output = f"SSRF Response: {response.text[:200]}" | ||
| except Exception as e: | ||
| output = f"SSRF Error: {e}" |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssrf-injection-requests.
You can view more details about this finding in the Semgrep AppSec Platform.
Comment on lines
+46
to
+58
| sql = request.form['sql'] | ||
| try: | ||
| # Execute the user's SQL query | ||
| cursor.execute(sql) | ||
| # Fetch all rows from the query result | ||
| rows = cursor.fetchall() | ||
| # Format the results for display | ||
| if rows: | ||
| output = "Results:\n" + "\n".join(str(row) for row in rows) | ||
| else: | ||
| output = "Query executed successfully, but no results found." | ||
| except Exception as e: | ||
| output = f"SQL Error: {e}" |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
User-controlled data from a request is passed to 'execute()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use Entry.objects.filter(date=2006).
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by sql-injection-db-cursor-execute.
You can view more details about this finding in the Semgrep AppSec Platform.
| def fetch_url_content(url: str): | ||
| # Vulnerability: No validation of the URL (API10:2019 - Unsafe Consumption of APIs) | ||
| try: | ||
| response = requests.get(url) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssrf-requests.
You can view more details about this finding in the Semgrep AppSec Platform.
| sql = request.form['sql'] | ||
| try: | ||
| # Execute the user's SQL query | ||
| cursor.execute(sql) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>insecure-app/app2.py</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] request.form['sql']</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L46 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 46] sql</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/latiotech/insecure-kubernetes-deployments/blob/fa19aee8e986b08cc6246b51ab21c74927f9019d/insecure-app/app2.py#L49 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 49] sql</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by generic-sql-flask.
You can view more details about this finding in the Semgrep AppSec Platform.
| Object deserializedObject = ois.readObject(); | ||
| return ResponseEntity.ok("Object deserialized: " + deserializedObject.toString()); | ||
| } catch (Exception e) { | ||
| e.printStackTrace(); |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Possible active debug code detected. Deploying an application with debug code can create unintended entry points or expose sensitive information.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by active-debug-code-printstacktrace.
You can view more details about this finding in the Semgrep AppSec Platform.
| elif 'url' in request.form: | ||
| url = request.form['url'] | ||
| try: | ||
| response = requests.get(url) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.
To resolve this comment:
✨ Commit Assistant fix suggestion
Suggested change
| response = requests.get(url) | |
| from urllib.parse import urlparse | |
| # 7 - Server-Side Request Forgery (SSRF) | |
| elif 'url' in request.form: | |
| url = request.form['url'] | |
| try: | |
| # Parse the URL and validate scheme and hostname | |
| parsed_url = urlparse(url) | |
| if parsed_url.scheme not in ['http', 'https']: | |
| raise ValueError("Invalid URL scheme") | |
| # Allowlist of trusted hostnames | |
| allowed_hosts = ['example.com', 'api.example.com'] | |
| if parsed_url.hostname not in allowed_hosts: | |
| raise ValueError("Hostname not allowed") | |
| # Make the request securely | |
| response = requests.get(url, timeout=5) # Added timeout for better security | |
| output = f"SSRF Response: {response.text[:200]}" | |
| except Exception as e: | |
| output = f"SSRF Error: {e}" |
View step-by-step instructions
-
Validate the URL scheme to ensure it is either
httporhttps. You can use Python'surlparsemodule for this. For example:from urllib.parse import urlparse parsed_url = urlparse(url) if parsed_url.scheme not in ['http', 'https']: raise ValueError("Invalid URL scheme")
-
Implement an allowlist of trusted hostnames or IP addresses. Check if the parsed URL's hostname is in this allowlist before making the request. For example:
allowed_hosts = ['example.com', 'api.example.com'] if parsed_url.hostname not in allowed_hosts: raise ValueError("Hostname not allowed")
-
Ensure that the response from the request is not directly forwarded to the user. Instead, process the response data securely and only expose necessary information.
-
Use proper authentication and transport-layer security when making the proxied request. Ensure that the
requests.getcall useshttpsand any necessary authentication headers. -
Replace the
requests.get(url)call with the validated and secured request logic.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by ssrf-requests.
You can view more details about this finding in the Semgrep AppSec Platform.
| username = '' | ||
| password = '' | ||
| try: | ||
| cursor.execute("SELECT * FROM users WHERE username = '%s' AND password = '%s'" % (username, password)) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.
To resolve this comment:
✨ Commit Assistant fix suggestion
Suggested change
| cursor.execute("SELECT * FROM users WHERE username = '%s' AND password = '%s'" % (username, password)) | |
| cursor.execute("SELECT * FROM users WHERE username = ? AND password = ?", (username, password)) |
View step-by-step instructions
- Replace the string interpolation in the
executemethod with parameterized queries to prevent SQL injection. - Change the query to use placeholders:
cursor.execute("SELECT * FROM users WHERE username = ? AND password = ?", (username, password)). - Ensure that
usernameandpasswordare properly sanitized and validated before being passed to the query.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by sqlalchemy-execute-raw-query.
You can view more details about this finding in the Semgrep AppSec Platform.
| cursor = conn.cursor() | ||
| try: | ||
| sql_query = f"SELECT * FROM video_games WHERE title = '{query}'" | ||
| cursor.execute(sql_query) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Detected possible formatted SQL query. Use parameterized queries instead.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by formatted-sql-query.
You can view more details about this finding in the Semgrep AppSec Platform.
Comment on lines
+18
to
+29
| - name: {{ .Values.insecureApp.appName }} | ||
| image: "{{ .Values.insecureApp.image.repository }}:{{ .Values.insecureApp.image.tag }}" | ||
| env: | ||
| - name: AWS_ACCESS_KEY_ID | ||
| value: AKIA2JAPX77RGLB664VE | ||
| - name: AWS_SECRET_ACCESS_KEY | ||
| value: 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 | ||
| securityContext: | ||
| privileged: true | ||
| volumeMounts: | ||
| - name: docker-socket | ||
| mountPath: /var/run/docker.sock |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by privileged-container.
You can view more details about this finding in the Semgrep AppSec Platform.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.